Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HUEtVS3MQe.exe

Overview

General Information

Sample name:HUEtVS3MQe.exe
renamed because original name is a hash value
Original sample name:f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6.exe
Analysis ID:1567546
MD5:45209596ce41c4359e9006a940042763
SHA1:8559b5a187ee146a869301e5c0fb23a5c4510772
SHA256:f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HUEtVS3MQe.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\HUEtVS3MQe.exe" MD5: 45209596CE41C4359E9006A940042763)
    • powershell.exe (PID: 5288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2476 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • mstsc.exe (PID: 7372 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
          • cmd.exe (PID: 7432 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wlanext.exe (PID: 7380 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)
  • OEcHGGP.exe (PID: 7136 cmdline: C:\Users\user\AppData\Roaming\OEcHGGP.exe MD5: 45209596CE41C4359E9006A940042763)
    • schtasks.exe (PID: 7304 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7348 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.asposted.online/gy15/"], "decoy": ["hairsdeals.today", "acob-saaad.buzz", "9955.club", "gild6222.vip", "nline-shopping-56055.bond", "lmadulles.top", "utemodels.info", "ighdd4675.online", "nqqkk146.xyz", "avasales.online", "ortas-de-madeira.today", "haad.xyz", "races-dental-splints-15439.bond", "hilohcreekpemf.online", "rrivalgetaways.info", "orktoday-2507-02-sap.click", "eceriyayinlari.xyz", "lsurfer.click", "aston-saaae.buzz", "etrot.pro", "68mp269rf.autos", "ndia567.vip", "jinni.buzz", "rey.app", "enior-living-72184.bond", "rogramdokpirdarmowy.today", "ejcloud.info", "ools-59989.bond", "astbiz.net", "ixaahx.shop", "hqaiop.xyz", "indow-replacement-46487.bond", "rogramdokpirdarmowy.today", "remoter.net", "ecorationworld.net", "ilkool.info", "bandoned-houses-50880.bond", "andscaping-services-2507.today", "42ve.shop", "orthfitness.net", "ink-gluwty.online", "18721.club", "ahrump.homes", "uuxe6hi1l.lol", "hopbestdeals.online", "rocbotserver2.online", "8210.app", "oftware-download-44761.bond", "78ex.net", "lake-paaab.buzz", "olocal.app", "oxpal.best", "hetinkerfoundation.net", "eleerm-czjp.top", "omaininformaniacion.fun", "ahadevindia.info", "j11.online", "isax.xyz", "lennuser.shop", "48691640.top", "6747.asia", "stralvoyage.website", "aihora.info", "0372.photo"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          12.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          12.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          12.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUEtVS3MQe.exe", ParentImage: C:\Users\user\Desktop\HUEtVS3MQe.exe, ParentProcessId: 6856, ParentProcessName: HUEtVS3MQe.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", ProcessId: 5288, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUEtVS3MQe.exe", ParentImage: C:\Users\user\Desktop\HUEtVS3MQe.exe, ParentProcessId: 6856, ParentProcessName: HUEtVS3MQe.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", ProcessId: 5288, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\OEcHGGP.exe, ParentImage: C:\Users\user\AppData\Roaming\OEcHGGP.exe, ParentProcessId: 7136, ParentProcessName: OEcHGGP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp", ProcessId: 7304, ProcessName: schtasks.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HUEtVS3MQe.exe", ParentImage: C:\Users\user\Desktop\HUEtVS3MQe.exe, ParentProcessId: 6856, ParentProcessName: HUEtVS3MQe.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp", ProcessId: 2060, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUEtVS3MQe.exe", ParentImage: C:\Users\user\Desktop\HUEtVS3MQe.exe, ParentProcessId: 6856, ParentProcessName: HUEtVS3MQe.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe", ProcessId: 5288, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HUEtVS3MQe.exe", ParentImage: C:\Users\user\Desktop\HUEtVS3MQe.exe, ParentProcessId: 6856, ParentProcessName: HUEtVS3MQe.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp", ProcessId: 2060, ProcessName: schtasks.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-03T16:56:42.094355+010020314531Malware Command and Control Activity Detected192.168.2.45000723.167.152.4180TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-03T16:56:19.622146+010028494291Attempted Administrator Privilege Gain1.1.1.153192.168.2.462268UDP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: HUEtVS3MQe.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeAvira: detection malicious, Label: TR/AD.Swotter.bqqlz
          Found malware configuration
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.asposted.online/gy15/"], "decoy": ["hairsdeals.today", "acob-saaad.buzz", "9955.club", "gild6222.vip", "nline-shopping-56055.bond", "lmadulles.top", "utemodels.info", "ighdd4675.online", "nqqkk146.xyz", "avasales.online", "ortas-de-madeira.today", "haad.xyz", "races-dental-splints-15439.bond", "hilohcreekpemf.online", "rrivalgetaways.info", "orktoday-2507-02-sap.click", "eceriyayinlari.xyz", "lsurfer.click", "aston-saaae.buzz", "etrot.pro", "68mp269rf.autos", "ndia567.vip", "jinni.buzz", "rey.app", "enior-living-72184.bond", "rogramdokpirdarmowy.today", "ejcloud.info", "ools-59989.bond", "astbiz.net", "ixaahx.shop", "hqaiop.xyz", "indow-replacement-46487.bond", "rogramdokpirdarmowy.today", "remoter.net", "ecorationworld.net", "ilkool.info", "bandoned-houses-50880.bond", "andscaping-services-2507.today", "42ve.shop", "orthfitness.net", "ink-gluwty.online", "18721.club", "ahrump.homes", "uuxe6hi1l.lol", "hopbestdeals.online", "rocbotserver2.online", "8210.app", "oftware-download-44761.bond", "78ex.net", "lake-paaab.buzz", "olocal.app", "oxpal.best", "hetinkerfoundation.net", "eleerm-czjp.top", "omaininformaniacion.fun", "ahadevindia.info", "j11.online", "isax.xyz", "lennuser.shop", "48691640.top", "6747.asia", "stralvoyage.website", "aihora.info", "0372.photo"]}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeReversingLabs: Detection: 73%
          Multi AV Scanner detection for submitted file
          Source: HUEtVS3MQe.exeReversingLabs: Detection: 73%
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: HUEtVS3MQe.exeJoe Sandbox ML: detected
          Source: HUEtVS3MQe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: HUEtVS3MQe.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.4166306293.0000000010F7F000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4149107938.0000000004ECF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147857813.0000000002C84000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1775233680.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1773205431.000000000461B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004980000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1777329434.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1775098668.0000000003748000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000006.00000002.1775583788.0000000001028000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1776453181.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1780350544.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1775233680.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1773205431.000000000461B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004980000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1777329434.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1775098668.0000000003748000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.1781418449.0000000003250000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147426561.00000000008A0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.4166306293.0000000010F7F000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4149107938.0000000004ECF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147857813.0000000002C84000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: RegSvcs.exe, 0000000C.00000002.1781418449.0000000003250000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147426561.00000000008A0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1775583788.0000000001028000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1776453181.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1780350544.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx12_2_00407B1C

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 23.167.152.41:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 23.167.152.41:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 23.167.152.41:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.asposted.online/gy15/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.eceriyayinlari.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.ilkool.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.asposted.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ink-gluwty.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hopbestdeals.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.etrot.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.rogramdokpirdarmowy.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.eceriyayinlari.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ighdd4675.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hilohcreekpemf.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.indow-replacement-46487.bond replaycode: Name error (3)
          Source: Network trafficSuricata IDS: 2849429 - Severity 1 - ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577) : 1.1.1.1:53 -> 192.168.2.4:62268
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: www.indow-replacement-46487.bond
          Source: global trafficDNS traffic detected: DNS query: www.ighdd4675.online
          Source: global trafficDNS traffic detected: DNS query: www.eceriyayinlari.xyz
          Source: global trafficDNS traffic detected: DNS query: www.hopbestdeals.online
          Source: global trafficDNS traffic detected: DNS query: www.etrot.pro
          Source: global trafficDNS traffic detected: DNS query: www.hilohcreekpemf.online
          Source: global trafficDNS traffic detected: DNS query: www.ilkool.info
          Source: global trafficDNS traffic detected: DNS query: www.asposted.online
          Source: global trafficDNS traffic detected: DNS query: www.18721.club
          Source: global trafficDNS traffic detected: DNS query: www.rogramdokpirdarmowy.today
          Source: global trafficDNS traffic detected: DNS query: www.ink-gluwty.online
          Source: explorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3479264550.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3113930800.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3479264550.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3113930800.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3479264550.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3113930800.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3479264550.0000000009834000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3113930800.0000000009834000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000007.00000003.3107589395.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4160121391.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1727625421.000000000C9A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000007.00000003.3107589395.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4160121391.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1727625421.000000000C9A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000007.00000002.4153700221.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1722295597.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1716236899.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: HUEtVS3MQe.exe, 00000000.00000002.1729022718.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, OEcHGGP.exe, 00000008.00000002.1770502721.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.18721.club
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.18721.club/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.18721.club/gy15/www.rogramdokpirdarmowy.today
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.18721.clubReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ahrump.homes
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ahrump.homes/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ahrump.homes/gy15/www.ixaahx.shop
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ahrump.homesReferer:
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.online/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.online/gy15/www.18721.club
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.onlineReferer:
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eceriyayinlari.xyz
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eceriyayinlari.xyz/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eceriyayinlari.xyz/gy15/www.hopbestdeals.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eceriyayinlari.xyzReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etrot.pro
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etrot.pro/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etrot.pro/gy15/www.hilohcreekpemf.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etrot.proReferer:
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.net
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.net/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.net/gy15/www.ahrump.homes
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.netReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.online/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.online/gy15/www.ilkool.info
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.onlineReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.online/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.online/gy15/www.etrot.pro
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.onlineReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyz
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyz/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyz/gy15/www.ink-gluwty.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyzReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighdd4675.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighdd4675.online/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighdd4675.online/gy15/www.eceriyayinlari.xyz
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighdd4675.onlineReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilkool.info
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilkool.info/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilkool.info/gy15/www.asposted.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilkool.infoReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bond
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bond/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bond/gy15/www.ighdd4675.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bondReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ink-gluwty.online
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ink-gluwty.online/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ink-gluwty.online/gy15/www.hetinkerfoundation.net
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ink-gluwty.onlineReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shop
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shop/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shop/gy15/www.lennuser.shop
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shopReferer:
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lennuser.shop
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lennuser.shop/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lennuser.shop/gy15/PZ
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lennuser.shopReferer:
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.today
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.today/gy15/
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.today/gy15/www.hqaiop.xyz
          Source: explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.todayReferer:
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732757357.0000000005794000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com0
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000007.00000003.3114945730.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000007.00000003.3114945730.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000007.00000003.3110105886.000000000370C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1711583637.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147368623.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3116128709.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4148842674.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1710692009.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000007.00000002.4154707016.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114945730.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114945730.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000007.00000002.4154707016.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114945730.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4161736928.000000000E6AC000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: HUEtVS3MQe.exe PID: 6856, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: OEcHGGP.exe PID: 7136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: mstsc.exe PID: 7372, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: wlanext.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2B60 NtClose,LdrInitializeThunk,6_2_014F2B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_014F2BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2AD0 NtReadFile,LdrInitializeThunk,6_2_014F2AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_014F2D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_014F2D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2DD0 NtDelayExecution,LdrInitializeThunk,6_2_014F2DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_014F2DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_014F2C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_014F2CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2F30 NtCreateSection,LdrInitializeThunk,6_2_014F2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2FE0 NtCreateFile,LdrInitializeThunk,6_2_014F2FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2F90 NtProtectVirtualMemory,LdrInitializeThunk,6_2_014F2F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2FB0 NtResumeThread,LdrInitializeThunk,6_2_014F2FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_014F2E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_014F2EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F4340 NtSetContextThread,6_2_014F4340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F4650 NtSuspendThread,6_2_014F4650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2BE0 NtQueryValueKey,6_2_014F2BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2B80 NtQueryInformationFile,6_2_014F2B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2BA0 NtEnumerateValueKey,6_2_014F2BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2AF0 NtWriteFile,6_2_014F2AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2AB0 NtWaitForSingleObject,6_2_014F2AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2D00 NtSetInformationFile,6_2_014F2D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2DB0 NtEnumerateKey,6_2_014F2DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2C60 NtCreateKey,6_2_014F2C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2C00 NtQueryInformationProcess,6_2_014F2C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2CC0 NtQueryVirtualMemory,6_2_014F2CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2CF0 NtOpenProcess,6_2_014F2CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2F60 NtCreateProcessEx,6_2_014F2F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2FA0 NtQuerySection,6_2_014F2FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2E30 NtWriteVirtualMemory,6_2_014F2E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2EE0 NtQueueApcThread,6_2_014F2EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F3010 NtOpenDirectoryObject,6_2_014F3010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F3090 NtSetValueKey,6_2_014F3090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F35C0 NtCreateMutant,6_2_014F35C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F39B0 NtGetContextThread,6_2_014F39B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F3D70 NtOpenThread,6_2_014F3D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F3D10 NtOpenProcessToken,6_2_014F3D10
          Source: C:\Windows\explorer.exeCode function: 7_2_0E694232 NtCreateFile,7_2_0E694232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E695E12 NtProtectVirtualMemory,7_2_0E695E12
          Source: C:\Windows\explorer.exeCode function: 7_2_0E695E0A NtProtectVirtualMemory,7_2_0E695E0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A330 NtCreateFile,12_2_0041A330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A3E0 NtReadFile,12_2_0041A3E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A460 NtClose,12_2_0041A460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A510 NtAllocateVirtualMemory,12_2_0041A510
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A2EB NtCreateFile,12_2_0041A2EB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A3DA NtReadFile,12_2_0041A3DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A45A NtClose,12_2_0041A45A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A50C NtAllocateVirtualMemory,12_2_0041A50C
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_075607B00_2_075607B0
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_07554D3B0_2_07554D3B
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_02C0D5BC0_2_02C0D5BC
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_053A00060_2_053A0006
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_053A00400_2_053A0040
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078DA2C00_2_078DA2C0
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D16780_2_078D1678
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D32B80_2_078D32B8
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D40900_2_078D4090
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D40A00_2_078D40A0
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D3C680_2_078D3C68
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D1AA00_2_078D1AA0
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078D1AB00_2_078D1AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015481586_2_01548158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B01006_2_014B0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155A1186_2_0155A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015781CC6_2_015781CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015801AA6_2_015801AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015741A26_2_015741A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015520006_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A3526_2_0157A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE3F06_2_014CE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015803E66_2_015803E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015602746_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015402C06_2_015402C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C05356_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015805916_2_01580591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015724466_2_01572446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015644206_2_01564420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E4F66_2_0156E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E47506_2_014E4750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C07706_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC7C06_2_014BC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC6E06_2_014DC6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D69626_2_014D6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A06_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A9A66_2_0158A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA8406_2_014CA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C28406_2_014C2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE8F06_2_014EE8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A68B86_2_014A68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157AB406_2_0157AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576BD76_2_01576BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BEA806_2_014BEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155CD1F6_2_0155CD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CAD006_2_014CAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BADE06_2_014BADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D8DBF6_2_014D8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0C006_2_014C0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0CF26_2_014B0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560CB56_2_01560CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01534F406_2_01534F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562F306_2_01562F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502F286_2_01502F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0F306_2_014E0F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2FC86_2_014B2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CCFE06_2_014CCFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EFA06_2_0153EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0E596_2_014C0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157EE266_2_0157EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8ECF6_2_014C8ECF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157EEDB6_2_0157EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157CE936_2_0157CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2E906_2_014D2E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F516C6_2_014F516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158B16B6_2_0158B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AF1726_2_014AF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CB1B06_2_014CB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C70C06_2_014C70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156F0CC6_2_0156F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157F0E06_2_0157F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015770E96_2_015770E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AD34C6_2_014AD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157132D6_2_0157132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C33F36_2_014C33F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150739A6_2_0150739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DB2C06_2_014DB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015612ED6_2_015612ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DD2F06_2_014DD2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C52A06_2_014C52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015775716_2_01577571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015895C36_2_015895C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155D5B06_2_0155D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B14606_2_014B1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157F43F6_2_0157F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C34976_2_014C3497
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157F7B06_2_0157F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015716CC6_2_015716CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C99506_2_014C9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DB9506_2_014DB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015559106_2_01555910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B18406_2_014B1840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152D8006_2_0152D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C38E06_2_014C38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157FB766_2_0157FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01535BF06_2_01535BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FDBF96_2_014FDBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DFB806_2_014DFB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01577A466_2_01577A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157FA496_2_0157FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01533A6C6_2_01533A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156DAC66_2_0156DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01561AA36_2_01561AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155DAAC6_2_0155DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C3D406_2_014C3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01571D5A6_2_01571D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01577D736_2_01577D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DFDC06_2_014DFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D9C446_2_014D9C44
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01539C326_2_01539C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157FCF26_2_0157FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157FF096_2_0157FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C1F926_2_014C1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157FFB16_2_0157FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C9EB06_2_014C9EB0
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6942327_2_0E694232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6930367_2_0E693036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E68A0827_2_0E68A082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E68EB307_2_0E68EB30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E68EB327_2_0E68EB32
          Source: C:\Windows\explorer.exeCode function: 7_2_0E68BD027_2_0E68BD02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6919127_2_0E691912
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6975CD7_2_0E6975CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC7DB327_2_0FC7DB32
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC7DB307_2_0FC7DB30
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC832327_2_0FC83232
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC865CD7_2_0FC865CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC7AD027_2_0FC7AD02
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC809127_2_0FC80912
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC790827_2_0FC79082
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC820367_2_0FC82036
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD42B307_2_0FD42B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD42B327_2_0FD42B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD482327_2_0FD48232
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD4B5CD7_2_0FD4B5CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD459127_2_0FD45912
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD3FD027_2_0FD3FD02
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD3E0827_2_0FD3E082
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD470367_2_0FD47036
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_0081D5BC8_2_0081D5BC
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB95408_2_06AB9540
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB16788_2_06AB1678
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB32B88_2_06AB32B8
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB40A08_2_06AB40A0
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB40908_2_06AB4090
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB3C688_2_06AB3C68
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB1AA08_2_06AB1AA0
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06AB1AB08_2_06AB1AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040103012_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D94612_2_0041D946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D9F312_2_0041D9F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041E3C912_2_0041E3C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041E56712_2_0041E567
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D57312_2_0041D573
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402D8712_2_00402D87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402D9012_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00409E5B12_2_00409E5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00409E6012_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041E7D912_2_0041E7D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402FB012_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0176815812_2_01768158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016D010012_2_016D0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0177A11812_2_0177A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017981CC12_2_017981CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017A01AA12_2_017A01AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017941A212_2_017941A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0177200012_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017A03E612_2_017A03E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016EE3F012_2_016EE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0178027412_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017602C012_2_017602C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E053512_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017A059112_2_017A0591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179244612_2_01792446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0178442012_2_01784420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0178E4F612_2_0178E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E077012_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0170475012_2_01704750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016DC7C012_2_016DC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016FC6E012_2_016FC6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016F696212_2_016F6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E29A012_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017AA9A612_2_017AA9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E284012_2_016E2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016EA84012_2_016EA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0170E8F012_2_0170E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016C68B812_2_016C68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179AB4012_2_0179AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01796BD712_2_01796BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016D4B9112_2_016D4B91
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016DEA8012_2_016DEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0177CD1F12_2_0177CD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016EAD0012_2_016EAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016DADE012_2_016DADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016F8DBF12_2_016F8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E0C0012_2_016E0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016D0CF212_2_016D0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01780CB512_2_01780CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01754F4012_2_01754F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01700F3012_2_01700F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01782F3012_2_01782F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01722F2812_2_01722F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016D2FC812_2_016D2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0175EFA012_2_0175EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E0E5912_2_016E0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179EE2612_2_0179EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179EEDB12_2_0179EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179CE9312_2_0179CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016F2E9012_2_016F2E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017AB16B12_2_017AB16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0171516C12_2_0171516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016CF17212_2_016CF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016EB1B012_2_016EB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017970E912_2_017970E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179F0E012_2_0179F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E70C012_2_016E70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0178F0CC12_2_0178F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016CD34C12_2_016CD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179132D12_2_0179132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0172739A12_2_0172739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017812ED12_2_017812ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016FD2F012_2_016FD2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016FB2C012_2_016FB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E52A012_2_016E52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179757112_2_01797571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017A95C312_2_017A95C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0177D5B012_2_0177D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016D146012_2_016D1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179F43F12_2_0179F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016D17EC12_2_016D17EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179F7B012_2_0179F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0172563012_2_01725630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_017916CC12_2_017916CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E995012_2_016E9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016FB95012_2_016FB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0177591012_2_01775910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0174D80012_2_0174D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E38E012_2_016E38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179FB7612_2_0179FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01755BF012_2_01755BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0171DBF912_2_0171DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016FFB8012_2_016FFB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01753A6C12_2_01753A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179FA4912_2_0179FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01797A4612_2_01797A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0178DAC612_2_0178DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01725AA012_2_01725AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0177DAAC12_2_0177DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01781AA312_2_01781AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01797D7312_2_01797D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01791D5A12_2_01791D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E3D4012_2_016E3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016FFDC012_2_016FFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01759C3212_2_01759C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179FCF212_2_0179FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179FF0912_2_0179FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016A3FD212_2_016A3FD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016A3FD512_2_016A3FD5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0179FFB112_2_0179FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E1F9212_2_016E1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016E9EB012_2_016E9EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01507E54 appears 129 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01727E54 appears 106 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0174EA12 appears 73 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0152EA12 appears 37 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01507EB0 appears 31 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0175F290 appears 97 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 016CB970 appears 268 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01715130 appears 58 times
          Source: HUEtVS3MQe.exe, 00000000.00000000.1683772273.0000000000B14000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVcf.exe6 vs HUEtVS3MQe.exe
          Source: HUEtVS3MQe.exe, 00000000.00000002.1727441959.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HUEtVS3MQe.exe
          Source: HUEtVS3MQe.exe, 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HUEtVS3MQe.exe
          Source: HUEtVS3MQe.exe, 00000000.00000002.1735500577.0000000008D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HUEtVS3MQe.exe
          Source: HUEtVS3MQe.exeBinary or memory string: OriginalFilenameVcf.exe6 vs HUEtVS3MQe.exe
          Source: HUEtVS3MQe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4161736928.000000000E6AC000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: HUEtVS3MQe.exe PID: 6856, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: OEcHGGP.exe PID: 7136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: mstsc.exe PID: 7372, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: wlanext.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: HUEtVS3MQe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: OEcHGGP.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, ig3Fwe1AGkRWNDpY89.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, ig3Fwe1AGkRWNDpY89.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, ig3Fwe1AGkRWNDpY89.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, uh77xlLJUk8SdL0aqi.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@268/11@12/0
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeFile created: C:\Users\user\AppData\Roaming\OEcHGGP.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_03
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMutant created: NULL
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMutant created: \Sessions\1\BaseNamedObjects\giCGCHeERpNXNPqpiWKzvcZj
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeFile created: C:\Users\user\AppData\Local\Temp\tmp918E.tmpJump to behavior
          Source: HUEtVS3MQe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: HUEtVS3MQe.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: HUEtVS3MQe.exeReversingLabs: Detection: 73%
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeFile read: C:\Users\user\Desktop\HUEtVS3MQe.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HUEtVS3MQe.exe "C:\Users\user\Desktop\HUEtVS3MQe.exe"
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\OEcHGGP.exe C:\Users\user\AppData\Roaming\OEcHGGP.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe"Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HUEtVS3MQe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HUEtVS3MQe.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.4166306293.0000000010F7F000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4149107938.0000000004ECF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147857813.0000000002C84000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1775233680.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1773205431.000000000461B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004980000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1777329434.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1775098668.0000000003748000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000006.00000002.1775583788.0000000001028000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1776453181.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1780350544.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1775233680.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1773205431.000000000461B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4148461248.0000000004980000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1781270881.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1777329434.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.1775098668.0000000003748000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.1781418449.0000000003250000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147426561.00000000008A0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.4166306293.0000000010F7F000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4149107938.0000000004ECF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147857813.0000000002C84000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: RegSvcs.exe, 0000000C.00000002.1781418449.0000000003250000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4147426561.00000000008A0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1775583788.0000000001028000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1776453181.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 0000000E.00000002.1780350544.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, uh77xlLJUk8SdL0aqi.cs.Net Code: TZTUXbvpxM System.Reflection.Assembly.Load(byte[])
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, uh77xlLJUk8SdL0aqi.cs.Net Code: TZTUXbvpxM System.Reflection.Assembly.Load(byte[])
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, uh77xlLJUk8SdL0aqi.cs.Net Code: TZTUXbvpxM System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeCode function: 0_2_078DB8A8 push esp; retf 0_2_078DB8A9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B09AD push ecx; mov dword ptr [esp], ecx6_2_014B09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEFE3 push esi; ret 6_2_014CEFE5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01481FEC push eax; iretd 6_2_01481FED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CBFEA push ebx; retf 6_2_014CBFEB
          Source: C:\Windows\explorer.exeCode function: 7_2_0E697B02 push esp; retn 0000h7_2_0E697B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E697B1E push esp; retn 0000h7_2_0E697B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6979B5 push esp; retn 0000h7_2_0E697AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC86B02 push esp; retn 0000h7_2_0FC86B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC86B1E push esp; retn 0000h7_2_0FC86B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0FC869B5 push esp; retn 0000h7_2_0FC86AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD4BB1E push esp; retn 0000h7_2_0FD4BB1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD4BB02 push esp; retn 0000h7_2_0FD4BB03
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD4B9B5 push esp; retn 0000h7_2_0FD4BAE7
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeCode function: 8_2_06ABAA29 push E806ACBEh; ret 8_2_06ABAA35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041685B push edi; ret 12_2_00416876
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041703D push 0000002Ah; ret 12_2_0041703F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D946 push dword ptr [637AF8F0h]; ret 12_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D9F3 push dword ptr [637AF8F0h]; ret 12_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00416A1F pushfd ; ret 12_2_00416A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041E3C9 push dword ptr [637AF8F0h]; ret 12_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D4D2 push eax; ret 12_2_0041D4D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D4DB push eax; ret 12_2_0041D542
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D485 push eax; ret 12_2_0041D4D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041648C push es; iretd 12_2_00416492
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D573 push dword ptr [637AF8F0h]; ret 12_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041D53C push eax; ret 12_2_0041D542
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00418759 pushad ; iretd 12_2_0041875C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004167F8 push edi; ret 12_2_00416876
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016A225F pushad ; ret 12_2_016A27F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016A27FA pushad ; ret 12_2_016A27F9
          Source: HUEtVS3MQe.exeStatic PE information: section name: .text entropy: 7.83719992294818
          Source: OEcHGGP.exe.0.drStatic PE information: section name: .text entropy: 7.83719992294818
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, AYRTyHvmCqBhhS3jYB.csHigh entropy of concatenated method names: 'k11OuhprGJ', 'lkuOx06Q07', 'zxkO1lOeJv', 'QDXOvafaxU', 'ziJOyECes9', 'NinOb88LtA', 'AWPOdj2gCT', 'YROODA2FUf', 'gflOw4a4LZ', 'PXCOtfcS9p'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, HTmH8izSNwPJXSiiBn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AjOw8fVCPm', 'fD9wy2C0Vd', 'G6VwbgqHqH', 'NHfwd2jZsh', 'pnlwDF6bCF', 'SM1wwWNx7q', 'hIqwt5NYSH'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, SlGsOTAMQ8WWAnQ2L0.csHigh entropy of concatenated method names: 'uapdaELypk', 'eWDdFdFeau', 'y27DfNQlm3', 'sGPDgSXbPy', 'pjJdhsXHvS', 'ykudjgJpok', 'iAwdGV6w9O', 'HigdpmnnoY', 'WM8dkg6fwW', 'TgBdso24V2'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, cdJ9g5GQtukYXvNmNl.csHigh entropy of concatenated method names: 'zjm81JiQFu', 'Iso8vfoVJK', 'KCC89CBYSx', 'GFQ8N32Fx0', 'bfo82HdTui', 'i4m8BjCt41', 'N6D8i2cHXw', 'LZZ8VAgVYr', 'o7F8IofjSU', 'n468hvYhvx'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, YXApjj0cHaYsVbZ0hP.csHigh entropy of concatenated method names: 'hNJdQXWllR', 'OSSdn1aSSO', 'ToString', 'AiXdokvNkm', 'HHFdc8V0MU', 'WWBdOlO5fZ', 'RJBdER1iHA', 'w7sdl9vhdX', 'MNedTPmGEW', 'RWpdLJuD4y'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, hsco49NSWqA2PJlakK.csHigh entropy of concatenated method names: 'BVM218AClfhQFsywu2l', 'LjZqKvA1vg9wrYlJxdQ', 'KOMlDaNRAb', 'SYxlw58xX0', 'LxPltKxHfy', 'zBU00TAmCnvIMq2CqSF', 'V3gE2eAvqIuvwRZOo7m'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, uh77xlLJUk8SdL0aqi.csHigh entropy of concatenated method names: 'LdEYCdkjsD', 'rrKYoxQknb', 'GtGYc81LnH', 'RBbYOcm9Qo', 'Tg0YEI3oUq', 'UuKYl7x7bJ', 'zxwYTS0scn', 'v7JYLuQ6bP', 'PVgYMrdw1q', 'ukBYQepguW'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, tgGSyJgfLQ0SF6TdUJg.csHigh entropy of concatenated method names: 'GP7wSpMtWr', 'TNwwHaCeRs', 'hnIwXDF43M', 'XKvwufeL1H', 'LhLwRk7PJ8', 'J8awxMa39J', 'zu1wWxyXYa', 'SOfw1BFiRT', 'v0Twvr49K8', 'SiCwmMag04'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, DTFE1HrjUBx2C7eRxt.csHigh entropy of concatenated method names: 'fm3Xn9qNV', 'wo8uCp19B', 'Yw9x8q335', 'sLxWIh2PA', 'vchvFHyBG', 'JZRm67cFX', 'tkjePDlEd7jdB8qSSJ', 'RvBBR6V2RbXIPEIJ2l', 'sONDPtB1t', 'WCxtsBbri'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, DuGpUAimwvOF7LoMT1.csHigh entropy of concatenated method names: 'ImaToG2w1T', 'hPgTOiTJ0N', 'RJeTlRrKGI', 'HwYlFbhKti', 'ur0lz3EgMj', 'euVTfAiByI', 'E9gTgqOxtn', 'rj3Tr9vo9J', 'Ah3TYqZ3Rt', 'b7cTU1Vb7j'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, tiF5RXqliL0aMTZcdQ.csHigh entropy of concatenated method names: 'QrLD9hgpv5', 'zhhDN0ERKV', 'LnWDPlZWJ4', 'pUtD2QaW2U', 'eVPDp5uJe8', 'UsODB493Hs', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, Eamrl1gYgdWxJrRWFor.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nultpK3HqL', 'QGMtkmKPh9', 'Hsvtsoy5cG', 'l7Ot0lQyir', 'eaItJ2byTt', 'RCftAi8OUm', 'DjYtKYEEEY'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, bphA7Kc2QX64EO2aGT.csHigh entropy of concatenated method names: 'Dispose', 'tqPgqVmYv1', 'yGerN7itsu', 'OdP224wX8R', 'sILgFtbjml', 'slNgzYmGJZ', 'ProcessDialogKey', 'NqtrfiF5RX', 'iiLrg0aMTZ', 'gdQrrppCr7'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, KcbqocUwvqRDgKKKLy.csHigh entropy of concatenated method names: 'pvEgTg3Fwe', 'VGkgLRWNDp', 'ymCgQqBhhS', 'tjYgnBojAc', 'oXPgyM2OvM', 'y6rgb102WF', 'X3ZyUW7LTl5Zmn5Vmy', 'eRS1WaeY7qBu4OMeNs', 'OGZggPNn0V', 'UcNgY8Da8q'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, tRV9TR7gKbW4ypGaIb.csHigh entropy of concatenated method names: 'AyYls9iEYa', 'KIRl0YB35S', 'zhhlJTWLOW', 'ToString', 'adUlA8N15X', 'yV0lKXRSyG', 'BHMVixANipmpMggK4bS', 'XtgeqtAWwvuQ5771fng', 'MZPgNlAys7HNEiZC8So'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, QpCr73F3fn5YNOsHan.csHigh entropy of concatenated method names: 'WPbwgomPQk', 'EOvwYQilXH', 't7EwUn62kj', 'OlgwoAYeMt', 'VVawc3GYTU', 'o4JwEXxjIc', 'IXCwlWyPcl', 'RNqDKCynqf', 'bW6Daq5eC4', 'eeKDq3OZe2'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, MGyZlUOJgnS1lrbKLn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R7PrqRLp3y', 'J6MrFvMTNJ', 'iubrzaYCvT', 'EcHYfMwx3Q', 'fDGYguv2Ve', 'ldrYrSj3ym', 'BWKYYk0eAC', 'vVDmi8UAADYvScaHs3P'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, OLtbjmalwlNYmGJZZq.csHigh entropy of concatenated method names: 'OBiDordfM1', 'C5EDcy52vZ', 'AqdDO9bqjw', 'xd6DEOJt8n', 'RJZDlLQaeD', 'gB5DTH9cIn', 'PGVDLnkiM8', 'PiDDMNUwVO', 'u1QDQu6Mlm', 'I47DnV5UG1'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, frJkA4ggQHf3mwTFTRp.csHigh entropy of concatenated method names: 'ToString', 'DODtYcl10q', 'GK1tUfmi8P', 'xrXtC1c2pf', 'sTGtohX9iA', 'SFStcbZj9U', 'GPgtOUI4C0', 'l0ctEGVyRj', 'iuNqOLnGdBtE6OXIFOd', 'YXjJyWnknLNEjykBdiq'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, fjAc5gmHpW2F18XPM2.csHigh entropy of concatenated method names: 'M1qERT9C7h', 'RHFEWl1MG9', 'Ji6OPeAb7i', 'm0dO2sck6u', 'dHNOBJvE7l', 'hD4O7JBYjf', 'XA5OiXZVTB', 'SllOVlq7kQ', 'v5iOZ5bD08', 'dCVOIrm8dt'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, ig3Fwe1AGkRWNDpY89.csHigh entropy of concatenated method names: 'lH6cptl8P8', 'esgckuL9As', 'enccsgtlRJ', 'NOoc0Q3cBp', 'zalcJbhmhP', 't5dcAwGyUa', 'zPAcKbUccJ', 'uwgcaOPM4R', 'Ei5cqc1unr', 'PtucFpD2FC'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, ai79YTZ2RMh55NFqDD.csHigh entropy of concatenated method names: 'RWsTSgdost', 'TVOTHG8HM2', 'TigTXuHgFZ', 'qRITuogwPu', 'wxjTR1V2p1', 'wcdTx3UUnS', 'X8LTW52PJH', 'dhkT1J8hjN', 'w38TvlsyVR', 'LQoTmPNTV4'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, hvMS6r9102WFxtsC5r.csHigh entropy of concatenated method names: 'OsflCM0CES', 'do3lcBVZvX', 'LiHlEgLPUa', 'dmOlTJy8a3', 'o5KlL7HSvg', 'dxtEJQK7ra', 'h2uEA2tpbe', 'E9VEKaA5s4', 'GfBEaljavF', 'xt2EqqLTJC'
          Source: 0.2.HUEtVS3MQe.exe.403b5b0.1.raw.unpack, EH07eGpCV5h7fqOj84.csHigh entropy of concatenated method names: 'rWryIxo3u0', 'ftJyjrPrbA', 'SaVypgxCD2', 'zgpykw2EgV', 'fZ5yNMAq60', 'mLuyPSenbD', 'qsvy2Dh248', 'kSUyBcy8nG', 'w03y7Gy1aI', 'RrnyitKd3k'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, AYRTyHvmCqBhhS3jYB.csHigh entropy of concatenated method names: 'k11OuhprGJ', 'lkuOx06Q07', 'zxkO1lOeJv', 'QDXOvafaxU', 'ziJOyECes9', 'NinOb88LtA', 'AWPOdj2gCT', 'YROODA2FUf', 'gflOw4a4LZ', 'PXCOtfcS9p'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, HTmH8izSNwPJXSiiBn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AjOw8fVCPm', 'fD9wy2C0Vd', 'G6VwbgqHqH', 'NHfwd2jZsh', 'pnlwDF6bCF', 'SM1wwWNx7q', 'hIqwt5NYSH'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, SlGsOTAMQ8WWAnQ2L0.csHigh entropy of concatenated method names: 'uapdaELypk', 'eWDdFdFeau', 'y27DfNQlm3', 'sGPDgSXbPy', 'pjJdhsXHvS', 'ykudjgJpok', 'iAwdGV6w9O', 'HigdpmnnoY', 'WM8dkg6fwW', 'TgBdso24V2'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, cdJ9g5GQtukYXvNmNl.csHigh entropy of concatenated method names: 'zjm81JiQFu', 'Iso8vfoVJK', 'KCC89CBYSx', 'GFQ8N32Fx0', 'bfo82HdTui', 'i4m8BjCt41', 'N6D8i2cHXw', 'LZZ8VAgVYr', 'o7F8IofjSU', 'n468hvYhvx'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, YXApjj0cHaYsVbZ0hP.csHigh entropy of concatenated method names: 'hNJdQXWllR', 'OSSdn1aSSO', 'ToString', 'AiXdokvNkm', 'HHFdc8V0MU', 'WWBdOlO5fZ', 'RJBdER1iHA', 'w7sdl9vhdX', 'MNedTPmGEW', 'RWpdLJuD4y'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, hsco49NSWqA2PJlakK.csHigh entropy of concatenated method names: 'BVM218AClfhQFsywu2l', 'LjZqKvA1vg9wrYlJxdQ', 'KOMlDaNRAb', 'SYxlw58xX0', 'LxPltKxHfy', 'zBU00TAmCnvIMq2CqSF', 'V3gE2eAvqIuvwRZOo7m'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, uh77xlLJUk8SdL0aqi.csHigh entropy of concatenated method names: 'LdEYCdkjsD', 'rrKYoxQknb', 'GtGYc81LnH', 'RBbYOcm9Qo', 'Tg0YEI3oUq', 'UuKYl7x7bJ', 'zxwYTS0scn', 'v7JYLuQ6bP', 'PVgYMrdw1q', 'ukBYQepguW'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, tgGSyJgfLQ0SF6TdUJg.csHigh entropy of concatenated method names: 'GP7wSpMtWr', 'TNwwHaCeRs', 'hnIwXDF43M', 'XKvwufeL1H', 'LhLwRk7PJ8', 'J8awxMa39J', 'zu1wWxyXYa', 'SOfw1BFiRT', 'v0Twvr49K8', 'SiCwmMag04'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, DTFE1HrjUBx2C7eRxt.csHigh entropy of concatenated method names: 'fm3Xn9qNV', 'wo8uCp19B', 'Yw9x8q335', 'sLxWIh2PA', 'vchvFHyBG', 'JZRm67cFX', 'tkjePDlEd7jdB8qSSJ', 'RvBBR6V2RbXIPEIJ2l', 'sONDPtB1t', 'WCxtsBbri'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, DuGpUAimwvOF7LoMT1.csHigh entropy of concatenated method names: 'ImaToG2w1T', 'hPgTOiTJ0N', 'RJeTlRrKGI', 'HwYlFbhKti', 'ur0lz3EgMj', 'euVTfAiByI', 'E9gTgqOxtn', 'rj3Tr9vo9J', 'Ah3TYqZ3Rt', 'b7cTU1Vb7j'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, tiF5RXqliL0aMTZcdQ.csHigh entropy of concatenated method names: 'QrLD9hgpv5', 'zhhDN0ERKV', 'LnWDPlZWJ4', 'pUtD2QaW2U', 'eVPDp5uJe8', 'UsODB493Hs', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, Eamrl1gYgdWxJrRWFor.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nultpK3HqL', 'QGMtkmKPh9', 'Hsvtsoy5cG', 'l7Ot0lQyir', 'eaItJ2byTt', 'RCftAi8OUm', 'DjYtKYEEEY'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, bphA7Kc2QX64EO2aGT.csHigh entropy of concatenated method names: 'Dispose', 'tqPgqVmYv1', 'yGerN7itsu', 'OdP224wX8R', 'sILgFtbjml', 'slNgzYmGJZ', 'ProcessDialogKey', 'NqtrfiF5RX', 'iiLrg0aMTZ', 'gdQrrppCr7'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, KcbqocUwvqRDgKKKLy.csHigh entropy of concatenated method names: 'pvEgTg3Fwe', 'VGkgLRWNDp', 'ymCgQqBhhS', 'tjYgnBojAc', 'oXPgyM2OvM', 'y6rgb102WF', 'X3ZyUW7LTl5Zmn5Vmy', 'eRS1WaeY7qBu4OMeNs', 'OGZggPNn0V', 'UcNgY8Da8q'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, tRV9TR7gKbW4ypGaIb.csHigh entropy of concatenated method names: 'AyYls9iEYa', 'KIRl0YB35S', 'zhhlJTWLOW', 'ToString', 'adUlA8N15X', 'yV0lKXRSyG', 'BHMVixANipmpMggK4bS', 'XtgeqtAWwvuQ5771fng', 'MZPgNlAys7HNEiZC8So'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, QpCr73F3fn5YNOsHan.csHigh entropy of concatenated method names: 'WPbwgomPQk', 'EOvwYQilXH', 't7EwUn62kj', 'OlgwoAYeMt', 'VVawc3GYTU', 'o4JwEXxjIc', 'IXCwlWyPcl', 'RNqDKCynqf', 'bW6Daq5eC4', 'eeKDq3OZe2'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, MGyZlUOJgnS1lrbKLn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R7PrqRLp3y', 'J6MrFvMTNJ', 'iubrzaYCvT', 'EcHYfMwx3Q', 'fDGYguv2Ve', 'ldrYrSj3ym', 'BWKYYk0eAC', 'vVDmi8UAADYvScaHs3P'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, OLtbjmalwlNYmGJZZq.csHigh entropy of concatenated method names: 'OBiDordfM1', 'C5EDcy52vZ', 'AqdDO9bqjw', 'xd6DEOJt8n', 'RJZDlLQaeD', 'gB5DTH9cIn', 'PGVDLnkiM8', 'PiDDMNUwVO', 'u1QDQu6Mlm', 'I47DnV5UG1'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, frJkA4ggQHf3mwTFTRp.csHigh entropy of concatenated method names: 'ToString', 'DODtYcl10q', 'GK1tUfmi8P', 'xrXtC1c2pf', 'sTGtohX9iA', 'SFStcbZj9U', 'GPgtOUI4C0', 'l0ctEGVyRj', 'iuNqOLnGdBtE6OXIFOd', 'YXjJyWnknLNEjykBdiq'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, fjAc5gmHpW2F18XPM2.csHigh entropy of concatenated method names: 'M1qERT9C7h', 'RHFEWl1MG9', 'Ji6OPeAb7i', 'm0dO2sck6u', 'dHNOBJvE7l', 'hD4O7JBYjf', 'XA5OiXZVTB', 'SllOVlq7kQ', 'v5iOZ5bD08', 'dCVOIrm8dt'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, ig3Fwe1AGkRWNDpY89.csHigh entropy of concatenated method names: 'lH6cptl8P8', 'esgckuL9As', 'enccsgtlRJ', 'NOoc0Q3cBp', 'zalcJbhmhP', 't5dcAwGyUa', 'zPAcKbUccJ', 'uwgcaOPM4R', 'Ei5cqc1unr', 'PtucFpD2FC'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, ai79YTZ2RMh55NFqDD.csHigh entropy of concatenated method names: 'RWsTSgdost', 'TVOTHG8HM2', 'TigTXuHgFZ', 'qRITuogwPu', 'wxjTR1V2p1', 'wcdTx3UUnS', 'X8LTW52PJH', 'dhkT1J8hjN', 'w38TvlsyVR', 'LQoTmPNTV4'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, hvMS6r9102WFxtsC5r.csHigh entropy of concatenated method names: 'OsflCM0CES', 'do3lcBVZvX', 'LiHlEgLPUa', 'dmOlTJy8a3', 'o5KlL7HSvg', 'dxtEJQK7ra', 'h2uEA2tpbe', 'E9VEKaA5s4', 'GfBEaljavF', 'xt2EqqLTJC'
          Source: 0.2.HUEtVS3MQe.exe.40ab3d0.2.raw.unpack, EH07eGpCV5h7fqOj84.csHigh entropy of concatenated method names: 'rWryIxo3u0', 'ftJyjrPrbA', 'SaVypgxCD2', 'zgpykw2EgV', 'fZ5yNMAq60', 'mLuyPSenbD', 'qsvy2Dh248', 'kSUyBcy8nG', 'w03y7Gy1aI', 'RrnyitKd3k'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, AYRTyHvmCqBhhS3jYB.csHigh entropy of concatenated method names: 'k11OuhprGJ', 'lkuOx06Q07', 'zxkO1lOeJv', 'QDXOvafaxU', 'ziJOyECes9', 'NinOb88LtA', 'AWPOdj2gCT', 'YROODA2FUf', 'gflOw4a4LZ', 'PXCOtfcS9p'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, HTmH8izSNwPJXSiiBn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AjOw8fVCPm', 'fD9wy2C0Vd', 'G6VwbgqHqH', 'NHfwd2jZsh', 'pnlwDF6bCF', 'SM1wwWNx7q', 'hIqwt5NYSH'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, SlGsOTAMQ8WWAnQ2L0.csHigh entropy of concatenated method names: 'uapdaELypk', 'eWDdFdFeau', 'y27DfNQlm3', 'sGPDgSXbPy', 'pjJdhsXHvS', 'ykudjgJpok', 'iAwdGV6w9O', 'HigdpmnnoY', 'WM8dkg6fwW', 'TgBdso24V2'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, cdJ9g5GQtukYXvNmNl.csHigh entropy of concatenated method names: 'zjm81JiQFu', 'Iso8vfoVJK', 'KCC89CBYSx', 'GFQ8N32Fx0', 'bfo82HdTui', 'i4m8BjCt41', 'N6D8i2cHXw', 'LZZ8VAgVYr', 'o7F8IofjSU', 'n468hvYhvx'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, YXApjj0cHaYsVbZ0hP.csHigh entropy of concatenated method names: 'hNJdQXWllR', 'OSSdn1aSSO', 'ToString', 'AiXdokvNkm', 'HHFdc8V0MU', 'WWBdOlO5fZ', 'RJBdER1iHA', 'w7sdl9vhdX', 'MNedTPmGEW', 'RWpdLJuD4y'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, hsco49NSWqA2PJlakK.csHigh entropy of concatenated method names: 'BVM218AClfhQFsywu2l', 'LjZqKvA1vg9wrYlJxdQ', 'KOMlDaNRAb', 'SYxlw58xX0', 'LxPltKxHfy', 'zBU00TAmCnvIMq2CqSF', 'V3gE2eAvqIuvwRZOo7m'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, uh77xlLJUk8SdL0aqi.csHigh entropy of concatenated method names: 'LdEYCdkjsD', 'rrKYoxQknb', 'GtGYc81LnH', 'RBbYOcm9Qo', 'Tg0YEI3oUq', 'UuKYl7x7bJ', 'zxwYTS0scn', 'v7JYLuQ6bP', 'PVgYMrdw1q', 'ukBYQepguW'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, tgGSyJgfLQ0SF6TdUJg.csHigh entropy of concatenated method names: 'GP7wSpMtWr', 'TNwwHaCeRs', 'hnIwXDF43M', 'XKvwufeL1H', 'LhLwRk7PJ8', 'J8awxMa39J', 'zu1wWxyXYa', 'SOfw1BFiRT', 'v0Twvr49K8', 'SiCwmMag04'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, DTFE1HrjUBx2C7eRxt.csHigh entropy of concatenated method names: 'fm3Xn9qNV', 'wo8uCp19B', 'Yw9x8q335', 'sLxWIh2PA', 'vchvFHyBG', 'JZRm67cFX', 'tkjePDlEd7jdB8qSSJ', 'RvBBR6V2RbXIPEIJ2l', 'sONDPtB1t', 'WCxtsBbri'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, DuGpUAimwvOF7LoMT1.csHigh entropy of concatenated method names: 'ImaToG2w1T', 'hPgTOiTJ0N', 'RJeTlRrKGI', 'HwYlFbhKti', 'ur0lz3EgMj', 'euVTfAiByI', 'E9gTgqOxtn', 'rj3Tr9vo9J', 'Ah3TYqZ3Rt', 'b7cTU1Vb7j'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, tiF5RXqliL0aMTZcdQ.csHigh entropy of concatenated method names: 'QrLD9hgpv5', 'zhhDN0ERKV', 'LnWDPlZWJ4', 'pUtD2QaW2U', 'eVPDp5uJe8', 'UsODB493Hs', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, Eamrl1gYgdWxJrRWFor.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nultpK3HqL', 'QGMtkmKPh9', 'Hsvtsoy5cG', 'l7Ot0lQyir', 'eaItJ2byTt', 'RCftAi8OUm', 'DjYtKYEEEY'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, bphA7Kc2QX64EO2aGT.csHigh entropy of concatenated method names: 'Dispose', 'tqPgqVmYv1', 'yGerN7itsu', 'OdP224wX8R', 'sILgFtbjml', 'slNgzYmGJZ', 'ProcessDialogKey', 'NqtrfiF5RX', 'iiLrg0aMTZ', 'gdQrrppCr7'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, KcbqocUwvqRDgKKKLy.csHigh entropy of concatenated method names: 'pvEgTg3Fwe', 'VGkgLRWNDp', 'ymCgQqBhhS', 'tjYgnBojAc', 'oXPgyM2OvM', 'y6rgb102WF', 'X3ZyUW7LTl5Zmn5Vmy', 'eRS1WaeY7qBu4OMeNs', 'OGZggPNn0V', 'UcNgY8Da8q'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, tRV9TR7gKbW4ypGaIb.csHigh entropy of concatenated method names: 'AyYls9iEYa', 'KIRl0YB35S', 'zhhlJTWLOW', 'ToString', 'adUlA8N15X', 'yV0lKXRSyG', 'BHMVixANipmpMggK4bS', 'XtgeqtAWwvuQ5771fng', 'MZPgNlAys7HNEiZC8So'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, QpCr73F3fn5YNOsHan.csHigh entropy of concatenated method names: 'WPbwgomPQk', 'EOvwYQilXH', 't7EwUn62kj', 'OlgwoAYeMt', 'VVawc3GYTU', 'o4JwEXxjIc', 'IXCwlWyPcl', 'RNqDKCynqf', 'bW6Daq5eC4', 'eeKDq3OZe2'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, MGyZlUOJgnS1lrbKLn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R7PrqRLp3y', 'J6MrFvMTNJ', 'iubrzaYCvT', 'EcHYfMwx3Q', 'fDGYguv2Ve', 'ldrYrSj3ym', 'BWKYYk0eAC', 'vVDmi8UAADYvScaHs3P'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, OLtbjmalwlNYmGJZZq.csHigh entropy of concatenated method names: 'OBiDordfM1', 'C5EDcy52vZ', 'AqdDO9bqjw', 'xd6DEOJt8n', 'RJZDlLQaeD', 'gB5DTH9cIn', 'PGVDLnkiM8', 'PiDDMNUwVO', 'u1QDQu6Mlm', 'I47DnV5UG1'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, frJkA4ggQHf3mwTFTRp.csHigh entropy of concatenated method names: 'ToString', 'DODtYcl10q', 'GK1tUfmi8P', 'xrXtC1c2pf', 'sTGtohX9iA', 'SFStcbZj9U', 'GPgtOUI4C0', 'l0ctEGVyRj', 'iuNqOLnGdBtE6OXIFOd', 'YXjJyWnknLNEjykBdiq'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, fjAc5gmHpW2F18XPM2.csHigh entropy of concatenated method names: 'M1qERT9C7h', 'RHFEWl1MG9', 'Ji6OPeAb7i', 'm0dO2sck6u', 'dHNOBJvE7l', 'hD4O7JBYjf', 'XA5OiXZVTB', 'SllOVlq7kQ', 'v5iOZ5bD08', 'dCVOIrm8dt'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, ig3Fwe1AGkRWNDpY89.csHigh entropy of concatenated method names: 'lH6cptl8P8', 'esgckuL9As', 'enccsgtlRJ', 'NOoc0Q3cBp', 'zalcJbhmhP', 't5dcAwGyUa', 'zPAcKbUccJ', 'uwgcaOPM4R', 'Ei5cqc1unr', 'PtucFpD2FC'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, ai79YTZ2RMh55NFqDD.csHigh entropy of concatenated method names: 'RWsTSgdost', 'TVOTHG8HM2', 'TigTXuHgFZ', 'qRITuogwPu', 'wxjTR1V2p1', 'wcdTx3UUnS', 'X8LTW52PJH', 'dhkT1J8hjN', 'w38TvlsyVR', 'LQoTmPNTV4'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, hvMS6r9102WFxtsC5r.csHigh entropy of concatenated method names: 'OsflCM0CES', 'do3lcBVZvX', 'LiHlEgLPUa', 'dmOlTJy8a3', 'o5KlL7HSvg', 'dxtEJQK7ra', 'h2uEA2tpbe', 'E9VEKaA5s4', 'GfBEaljavF', 'xt2EqqLTJC'
          Source: 0.2.HUEtVS3MQe.exe.8d30000.4.raw.unpack, EH07eGpCV5h7fqOj84.csHigh entropy of concatenated method names: 'rWryIxo3u0', 'ftJyjrPrbA', 'SaVypgxCD2', 'zgpykw2EgV', 'fZ5yNMAq60', 'mLuyPSenbD', 'qsvy2Dh248', 'kSUyBcy8nG', 'w03y7Gy1aI', 'RrnyitKd3k'
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeFile created: C:\Users\user\AppData\Roaming\OEcHGGP.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: HUEtVS3MQe.exe PID: 6856, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: OEcHGGP.exe PID: 7136, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 539904 second address: 53990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 3209904 second address: 320990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 539B7E second address: 539B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 3209B7E second address: 3209B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: 8EA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: 9EA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: A0A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: B0A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: 810000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: 2270000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: 7F60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: 8F60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: 9150000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: A150000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE0D0 rdtsc 6_2_014AE0D0
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6747Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2932Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9209Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 736Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 881Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 871Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 371
          Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 9600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.8 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 1.7 %
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exe TID: 6924Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7600Thread sleep count: 9209 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7600Thread sleep time: -18418000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7600Thread sleep count: 736 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7600Thread sleep time: -1472000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exe TID: 4592Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7500Thread sleep count: 371 > 30
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7500Thread sleep time: -742000s >= -30000s
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7500Thread sleep count: 9600 > 30
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7500Thread sleep time: -19200000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000007.00000000.1721834208.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000002.4154707016.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000007.00000002.4154707016.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000007.00000000.1721834208.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000000.1710692009.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000007.00000000.1721834208.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000007.00000002.4154707016.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000007.00000003.3114945730.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114945730.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000007.00000000.1721834208.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000007.00000002.4151272507.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1713004813.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000007.00000000.1710692009.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000007.00000002.4154569198.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000007.00000000.1710692009.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE0D0 rdtsc 6_2_014AE0D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2B60 NtClose,LdrInitializeThunk,6_2_014F2B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2140 mov ecx, dword ptr fs:[00000030h]6_2_014B2140
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2140 mov eax, dword ptr fs:[00000030h]6_2_014B2140
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01548158 mov eax, dword ptr fs:[00000030h]6_2_01548158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544144 mov eax, dword ptr fs:[00000030h]6_2_01544144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544144 mov eax, dword ptr fs:[00000030h]6_2_01544144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544144 mov ecx, dword ptr fs:[00000030h]6_2_01544144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544144 mov eax, dword ptr fs:[00000030h]6_2_01544144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544144 mov eax, dword ptr fs:[00000030h]6_2_01544144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AC156 mov eax, dword ptr fs:[00000030h]6_2_014AC156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6154 mov eax, dword ptr fs:[00000030h]6_2_014B6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6154 mov eax, dword ptr fs:[00000030h]6_2_014B6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584164 mov eax, dword ptr fs:[00000030h]6_2_01584164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584164 mov eax, dword ptr fs:[00000030h]6_2_01584164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570115 mov eax, dword ptr fs:[00000030h]6_2_01570115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155A118 mov ecx, dword ptr fs:[00000030h]6_2_0155A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155A118 mov eax, dword ptr fs:[00000030h]6_2_0155A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155A118 mov eax, dword ptr fs:[00000030h]6_2_0155A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155A118 mov eax, dword ptr fs:[00000030h]6_2_0155A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov eax, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov ecx, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov eax, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov eax, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov ecx, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov eax, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov eax, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov ecx, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov eax, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E10E mov ecx, dword ptr fs:[00000030h]6_2_0155E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0124 mov eax, dword ptr fs:[00000030h]6_2_014E0124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E1D0 mov eax, dword ptr fs:[00000030h]6_2_0152E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E1D0 mov eax, dword ptr fs:[00000030h]6_2_0152E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0152E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E1D0 mov eax, dword ptr fs:[00000030h]6_2_0152E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E1D0 mov eax, dword ptr fs:[00000030h]6_2_0152E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015761C3 mov eax, dword ptr fs:[00000030h]6_2_015761C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015761C3 mov eax, dword ptr fs:[00000030h]6_2_015761C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C61D1 mov eax, dword ptr fs:[00000030h]6_2_014C61D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C61D1 mov eax, dword ptr fs:[00000030h]6_2_014C61D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E01F8 mov eax, dword ptr fs:[00000030h]6_2_014E01F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015861E5 mov eax, dword ptr fs:[00000030h]6_2_015861E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0185 mov eax, dword ptr fs:[00000030h]6_2_014F0185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153019F mov eax, dword ptr fs:[00000030h]6_2_0153019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153019F mov eax, dword ptr fs:[00000030h]6_2_0153019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153019F mov eax, dword ptr fs:[00000030h]6_2_0153019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153019F mov eax, dword ptr fs:[00000030h]6_2_0153019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554180 mov eax, dword ptr fs:[00000030h]6_2_01554180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554180 mov eax, dword ptr fs:[00000030h]6_2_01554180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA197 mov eax, dword ptr fs:[00000030h]6_2_014AA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA197 mov eax, dword ptr fs:[00000030h]6_2_014AA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA197 mov eax, dword ptr fs:[00000030h]6_2_014AA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C188 mov eax, dword ptr fs:[00000030h]6_2_0156C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C188 mov eax, dword ptr fs:[00000030h]6_2_0156C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536050 mov eax, dword ptr fs:[00000030h]6_2_01536050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2050 mov eax, dword ptr fs:[00000030h]6_2_014B2050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA060 mov eax, dword ptr fs:[00000030h]6_2_014EA060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC073 mov eax, dword ptr fs:[00000030h]6_2_014DC073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01534000 mov ecx, dword ptr fs:[00000030h]6_2_01534000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01552000 mov eax, dword ptr fs:[00000030h]6_2_01552000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE016 mov eax, dword ptr fs:[00000030h]6_2_014CE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE016 mov eax, dword ptr fs:[00000030h]6_2_014CE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE016 mov eax, dword ptr fs:[00000030h]6_2_014CE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE016 mov eax, dword ptr fs:[00000030h]6_2_014CE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546030 mov eax, dword ptr fs:[00000030h]6_2_01546030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA020 mov eax, dword ptr fs:[00000030h]6_2_014AA020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AC020 mov eax, dword ptr fs:[00000030h]6_2_014AC020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015320DE mov eax, dword ptr fs:[00000030h]6_2_015320DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B80E9 mov eax, dword ptr fs:[00000030h]6_2_014B80E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA0E3 mov ecx, dword ptr fs:[00000030h]6_2_014AA0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015360E0 mov eax, dword ptr fs:[00000030h]6_2_015360E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AC0F0 mov eax, dword ptr fs:[00000030h]6_2_014AC0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F20F0 mov ecx, dword ptr fs:[00000030h]6_2_014F20F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B208A mov eax, dword ptr fs:[00000030h]6_2_014B208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A80A0 mov eax, dword ptr fs:[00000030h]6_2_014A80A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015760B8 mov eax, dword ptr fs:[00000030h]6_2_015760B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015760B8 mov ecx, dword ptr fs:[00000030h]6_2_015760B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015480A8 mov eax, dword ptr fs:[00000030h]6_2_015480A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A352 mov eax, dword ptr fs:[00000030h]6_2_0157A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01558350 mov ecx, dword ptr fs:[00000030h]6_2_01558350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153035C mov eax, dword ptr fs:[00000030h]6_2_0153035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153035C mov eax, dword ptr fs:[00000030h]6_2_0153035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153035C mov eax, dword ptr fs:[00000030h]6_2_0153035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153035C mov ecx, dword ptr fs:[00000030h]6_2_0153035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153035C mov eax, dword ptr fs:[00000030h]6_2_0153035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153035C mov eax, dword ptr fs:[00000030h]6_2_0153035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158634F mov eax, dword ptr fs:[00000030h]6_2_0158634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532349 mov eax, dword ptr fs:[00000030h]6_2_01532349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155437C mov eax, dword ptr fs:[00000030h]6_2_0155437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA30B mov eax, dword ptr fs:[00000030h]6_2_014EA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA30B mov eax, dword ptr fs:[00000030h]6_2_014EA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA30B mov eax, dword ptr fs:[00000030h]6_2_014EA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AC310 mov ecx, dword ptr fs:[00000030h]6_2_014AC310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0310 mov ecx, dword ptr fs:[00000030h]6_2_014D0310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2324 mov eax, dword ptr fs:[00000030h]6_2_014B2324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588324 mov eax, dword ptr fs:[00000030h]6_2_01588324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588324 mov ecx, dword ptr fs:[00000030h]6_2_01588324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588324 mov eax, dword ptr fs:[00000030h]6_2_01588324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588324 mov eax, dword ptr fs:[00000030h]6_2_01588324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015543D4 mov eax, dword ptr fs:[00000030h]6_2_015543D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015543D4 mov eax, dword ptr fs:[00000030h]6_2_015543D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA3C0 mov eax, dword ptr fs:[00000030h]6_2_014BA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA3C0 mov eax, dword ptr fs:[00000030h]6_2_014BA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA3C0 mov eax, dword ptr fs:[00000030h]6_2_014BA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA3C0 mov eax, dword ptr fs:[00000030h]6_2_014BA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA3C0 mov eax, dword ptr fs:[00000030h]6_2_014BA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA3C0 mov eax, dword ptr fs:[00000030h]6_2_014BA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B83C0 mov eax, dword ptr fs:[00000030h]6_2_014B83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B83C0 mov eax, dword ptr fs:[00000030h]6_2_014B83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B83C0 mov eax, dword ptr fs:[00000030h]6_2_014B83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B83C0 mov eax, dword ptr fs:[00000030h]6_2_014B83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E3DB mov eax, dword ptr fs:[00000030h]6_2_0155E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E3DB mov eax, dword ptr fs:[00000030h]6_2_0155E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E3DB mov ecx, dword ptr fs:[00000030h]6_2_0155E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E3DB mov eax, dword ptr fs:[00000030h]6_2_0155E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015363C0 mov eax, dword ptr fs:[00000030h]6_2_015363C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C3CD mov eax, dword ptr fs:[00000030h]6_2_0156C3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C03E9 mov eax, dword ptr fs:[00000030h]6_2_014C03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E63FF mov eax, dword ptr fs:[00000030h]6_2_014E63FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE3F0 mov eax, dword ptr fs:[00000030h]6_2_014CE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE3F0 mov eax, dword ptr fs:[00000030h]6_2_014CE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE3F0 mov eax, dword ptr fs:[00000030h]6_2_014CE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE388 mov eax, dword ptr fs:[00000030h]6_2_014AE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE388 mov eax, dword ptr fs:[00000030h]6_2_014AE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE388 mov eax, dword ptr fs:[00000030h]6_2_014AE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D438F mov eax, dword ptr fs:[00000030h]6_2_014D438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D438F mov eax, dword ptr fs:[00000030h]6_2_014D438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A8397 mov eax, dword ptr fs:[00000030h]6_2_014A8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A8397 mov eax, dword ptr fs:[00000030h]6_2_014A8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A8397 mov eax, dword ptr fs:[00000030h]6_2_014A8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158625D mov eax, dword ptr fs:[00000030h]6_2_0158625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A250 mov eax, dword ptr fs:[00000030h]6_2_0156A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A250 mov eax, dword ptr fs:[00000030h]6_2_0156A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01538243 mov eax, dword ptr fs:[00000030h]6_2_01538243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01538243 mov ecx, dword ptr fs:[00000030h]6_2_01538243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6259 mov eax, dword ptr fs:[00000030h]6_2_014B6259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA250 mov eax, dword ptr fs:[00000030h]6_2_014AA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A826B mov eax, dword ptr fs:[00000030h]6_2_014A826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560274 mov eax, dword ptr fs:[00000030h]6_2_01560274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4260 mov eax, dword ptr fs:[00000030h]6_2_014B4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4260 mov eax, dword ptr fs:[00000030h]6_2_014B4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4260 mov eax, dword ptr fs:[00000030h]6_2_014B4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0218 mov eax, dword ptr fs:[00000030h]6_2_014C0218
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A823B mov eax, dword ptr fs:[00000030h]6_2_014A823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA2C3 mov eax, dword ptr fs:[00000030h]6_2_014BA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA2C3 mov eax, dword ptr fs:[00000030h]6_2_014BA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA2C3 mov eax, dword ptr fs:[00000030h]6_2_014BA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA2C3 mov eax, dword ptr fs:[00000030h]6_2_014BA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA2C3 mov eax, dword ptr fs:[00000030h]6_2_014BA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015862D6 mov eax, dword ptr fs:[00000030h]6_2_015862D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C02E1 mov eax, dword ptr fs:[00000030h]6_2_014C02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C02E1 mov eax, dword ptr fs:[00000030h]6_2_014C02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C02E1 mov eax, dword ptr fs:[00000030h]6_2_014C02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D02FE mov ecx, dword ptr fs:[00000030h]6_2_014D02FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE284 mov eax, dword ptr fs:[00000030h]6_2_014EE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE284 mov eax, dword ptr fs:[00000030h]6_2_014EE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01530283 mov eax, dword ptr fs:[00000030h]6_2_01530283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01530283 mov eax, dword ptr fs:[00000030h]6_2_01530283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01530283 mov eax, dword ptr fs:[00000030h]6_2_01530283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C02A0 mov eax, dword ptr fs:[00000030h]6_2_014C02A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C02A0 mov eax, dword ptr fs:[00000030h]6_2_014C02A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015462A0 mov eax, dword ptr fs:[00000030h]6_2_015462A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015462A0 mov ecx, dword ptr fs:[00000030h]6_2_015462A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015462A0 mov eax, dword ptr fs:[00000030h]6_2_015462A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015462A0 mov eax, dword ptr fs:[00000030h]6_2_015462A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015462A0 mov eax, dword ptr fs:[00000030h]6_2_015462A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015462A0 mov eax, dword ptr fs:[00000030h]6_2_015462A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8550 mov eax, dword ptr fs:[00000030h]6_2_014B8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8550 mov eax, dword ptr fs:[00000030h]6_2_014B8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E656A mov eax, dword ptr fs:[00000030h]6_2_014E656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E656A mov eax, dword ptr fs:[00000030h]6_2_014E656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E656A mov eax, dword ptr fs:[00000030h]6_2_014E656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546500 mov eax, dword ptr fs:[00000030h]6_2_01546500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584500 mov eax, dword ptr fs:[00000030h]6_2_01584500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE53E mov eax, dword ptr fs:[00000030h]6_2_014DE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE53E mov eax, dword ptr fs:[00000030h]6_2_014DE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE53E mov eax, dword ptr fs:[00000030h]6_2_014DE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE53E mov eax, dword ptr fs:[00000030h]6_2_014DE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE53E mov eax, dword ptr fs:[00000030h]6_2_014DE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0535 mov eax, dword ptr fs:[00000030h]6_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0535 mov eax, dword ptr fs:[00000030h]6_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0535 mov eax, dword ptr fs:[00000030h]6_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0535 mov eax, dword ptr fs:[00000030h]6_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0535 mov eax, dword ptr fs:[00000030h]6_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0535 mov eax, dword ptr fs:[00000030h]6_2_014C0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5CF mov eax, dword ptr fs:[00000030h]6_2_014EE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5CF mov eax, dword ptr fs:[00000030h]6_2_014EE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B65D0 mov eax, dword ptr fs:[00000030h]6_2_014B65D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA5D0 mov eax, dword ptr fs:[00000030h]6_2_014EA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA5D0 mov eax, dword ptr fs:[00000030h]6_2_014EA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC5ED mov eax, dword ptr fs:[00000030h]6_2_014EC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC5ED mov eax, dword ptr fs:[00000030h]6_2_014EC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE5E7 mov eax, dword ptr fs:[00000030h]6_2_014DE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B25E0 mov eax, dword ptr fs:[00000030h]6_2_014B25E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4588 mov eax, dword ptr fs:[00000030h]6_2_014E4588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2582 mov eax, dword ptr fs:[00000030h]6_2_014B2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B2582 mov ecx, dword ptr fs:[00000030h]6_2_014B2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA580 mov ecx, dword ptr fs:[00000030h]6_2_014AA580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA580 mov eax, dword ptr fs:[00000030h]6_2_014AA580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE59C mov eax, dword ptr fs:[00000030h]6_2_014EE59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015305A7 mov eax, dword ptr fs:[00000030h]6_2_015305A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015305A7 mov eax, dword ptr fs:[00000030h]6_2_015305A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015305A7 mov eax, dword ptr fs:[00000030h]6_2_015305A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D45B1 mov eax, dword ptr fs:[00000030h]6_2_014D45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D45B1 mov eax, dword ptr fs:[00000030h]6_2_014D45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A456 mov eax, dword ptr fs:[00000030h]6_2_0156A456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE443 mov eax, dword ptr fs:[00000030h]6_2_014EE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A645D mov eax, dword ptr fs:[00000030h]6_2_014A645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D245A mov eax, dword ptr fs:[00000030h]6_2_014D245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153C460 mov ecx, dword ptr fs:[00000030h]6_2_0153C460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA470 mov eax, dword ptr fs:[00000030h]6_2_014DA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA470 mov eax, dword ptr fs:[00000030h]6_2_014DA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA470 mov eax, dword ptr fs:[00000030h]6_2_014DA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8402 mov eax, dword ptr fs:[00000030h]6_2_014E8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8402 mov eax, dword ptr fs:[00000030h]6_2_014E8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8402 mov eax, dword ptr fs:[00000030h]6_2_014E8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE420 mov eax, dword ptr fs:[00000030h]6_2_014AE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE420 mov eax, dword ptr fs:[00000030h]6_2_014AE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AE420 mov eax, dword ptr fs:[00000030h]6_2_014AE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AC427 mov eax, dword ptr fs:[00000030h]6_2_014AC427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536420 mov eax, dword ptr fs:[00000030h]6_2_01536420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B04E5 mov ecx, dword ptr fs:[00000030h]6_2_014B04E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A49A mov eax, dword ptr fs:[00000030h]6_2_0156A49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B64AB mov eax, dword ptr fs:[00000030h]6_2_014B64AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153A4B0 mov eax, dword ptr fs:[00000030h]6_2_0153A4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E44B0 mov ecx, dword ptr fs:[00000030h]6_2_014E44B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E674D mov esi, dword ptr fs:[00000030h]6_2_014E674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E674D mov eax, dword ptr fs:[00000030h]6_2_014E674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E674D mov eax, dword ptr fs:[00000030h]6_2_014E674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01534755 mov eax, dword ptr fs:[00000030h]6_2_01534755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014AA740 mov eax, dword ptr fs:[00000030h]6_2_014AA740
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E75D mov eax, dword ptr fs:[00000030h]6_2_0153E75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0750 mov eax, dword ptr fs:[00000030h]6_2_014B0750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2750 mov eax, dword ptr fs:[00000030h]6_2_014F2750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2750 mov eax, dword ptr fs:[00000030h]6_2_014F2750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8770 mov eax, dword ptr fs:[00000030h]6_2_014B8770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0770 mov eax, dword ptr fs:[00000030h]6_2_014C0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC700 mov eax, dword ptr fs:[00000030h]6_2_014EC700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0710 mov eax, dword ptr fs:[00000030h]6_2_014B0710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0710 mov eax, dword ptr fs:[00000030h]6_2_014E0710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152C730 mov eax, dword ptr fs:[00000030h]6_2_0152C730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC720 mov eax, dword ptr fs:[00000030h]6_2_014EC720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC720 mov eax, dword ptr fs:[00000030h]6_2_014EC720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E273C mov eax, dword ptr fs:[00000030h]6_2_014E273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E273C mov ecx, dword ptr fs:[00000030h]6_2_014E273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E273C mov eax, dword ptr fs:[00000030h]6_2_014E273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC7C0 mov eax, dword ptr fs:[00000030h]6_2_014BC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015307C3 mov eax, dword ptr fs:[00000030h]6_2_015307C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D27ED mov eax, dword ptr fs:[00000030h]6_2_014D27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D27ED mov eax, dword ptr fs:[00000030h]6_2_014D27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D27ED mov eax, dword ptr fs:[00000030h]6_2_014D27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B47FB mov eax, dword ptr fs:[00000030h]6_2_014B47FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B47FB mov eax, dword ptr fs:[00000030h]6_2_014B47FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E7E1 mov eax, dword ptr fs:[00000030h]6_2_0153E7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155678E mov eax, dword ptr fs:[00000030h]6_2_0155678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B07AF mov eax, dword ptr fs:[00000030h]6_2_014B07AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015647A0 mov eax, dword ptr fs:[00000030h]6_2_015647A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CC640 mov eax, dword ptr fs:[00000030h]6_2_014CC640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA660 mov eax, dword ptr fs:[00000030h]6_2_014EA660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA660 mov eax, dword ptr fs:[00000030h]6_2_014EA660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157866E mov eax, dword ptr fs:[00000030h]6_2_0157866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157866E mov eax, dword ptr fs:[00000030h]6_2_0157866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2674 mov eax, dword ptr fs:[00000030h]6_2_014E2674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C260B mov eax, dword ptr fs:[00000030h]6_2_014C260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2619 mov eax, dword ptr fs:[00000030h]6_2_014F2619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E609 mov eax, dword ptr fs:[00000030h]6_2_0152E609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B262C mov eax, dword ptr fs:[00000030h]6_2_014B262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CE627 mov eax, dword ptr fs:[00000030h]6_2_014CE627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6620 mov eax, dword ptr fs:[00000030h]6_2_014E6620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8620 mov eax, dword ptr fs:[00000030h]6_2_014E8620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA6C7 mov ebx, dword ptr fs:[00000030h]6_2_014EA6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA6C7 mov eax, dword ptr fs:[00000030h]6_2_014EA6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E6F2 mov eax, dword ptr fs:[00000030h]6_2_0152E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E6F2 mov eax, dword ptr fs:[00000030h]6_2_0152E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E6F2 mov eax, dword ptr fs:[00000030h]6_2_0152E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E6F2 mov eax, dword ptr fs:[00000030h]6_2_0152E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015306F1 mov eax, dword ptr fs:[00000030h]6_2_015306F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015306F1 mov eax, dword ptr fs:[00000030h]6_2_015306F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4690 mov eax, dword ptr fs:[00000030h]6_2_014B4690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4690 mov eax, dword ptr fs:[00000030h]6_2_014B4690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC6A6 mov eax, dword ptr fs:[00000030h]6_2_014EC6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E66B0 mov eax, dword ptr fs:[00000030h]6_2_014E66B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01530946 mov eax, dword ptr fs:[00000030h]6_2_01530946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584940 mov eax, dword ptr fs:[00000030h]6_2_01584940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F096E mov eax, dword ptr fs:[00000030h]6_2_014F096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F096E mov edx, dword ptr fs:[00000030h]6_2_014F096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F096E mov eax, dword ptr fs:[00000030h]6_2_014F096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554978 mov eax, dword ptr fs:[00000030h]6_2_01554978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554978 mov eax, dword ptr fs:[00000030h]6_2_01554978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D6962 mov eax, dword ptr fs:[00000030h]6_2_014D6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D6962 mov eax, dword ptr fs:[00000030h]6_2_014D6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D6962 mov eax, dword ptr fs:[00000030h]6_2_014D6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153C97C mov eax, dword ptr fs:[00000030h]6_2_0153C97C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153C912 mov eax, dword ptr fs:[00000030h]6_2_0153C912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A8918 mov eax, dword ptr fs:[00000030h]6_2_014A8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A8918 mov eax, dword ptr fs:[00000030h]6_2_014A8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E908 mov eax, dword ptr fs:[00000030h]6_2_0152E908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152E908 mov eax, dword ptr fs:[00000030h]6_2_0152E908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153892A mov eax, dword ptr fs:[00000030h]6_2_0153892A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154892B mov eax, dword ptr fs:[00000030h]6_2_0154892B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A9D3 mov eax, dword ptr fs:[00000030h]6_2_0157A9D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015469C0 mov eax, dword ptr fs:[00000030h]6_2_015469C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA9D0 mov eax, dword ptr fs:[00000030h]6_2_014BA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA9D0 mov eax, dword ptr fs:[00000030h]6_2_014BA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA9D0 mov eax, dword ptr fs:[00000030h]6_2_014BA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA9D0 mov eax, dword ptr fs:[00000030h]6_2_014BA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA9D0 mov eax, dword ptr fs:[00000030h]6_2_014BA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA9D0 mov eax, dword ptr fs:[00000030h]6_2_014BA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E49D0 mov eax, dword ptr fs:[00000030h]6_2_014E49D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E9E0 mov eax, dword ptr fs:[00000030h]6_2_0153E9E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E29F9 mov eax, dword ptr fs:[00000030h]6_2_014E29F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E29F9 mov eax, dword ptr fs:[00000030h]6_2_014E29F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015389B3 mov esi, dword ptr fs:[00000030h]6_2_015389B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015389B3 mov eax, dword ptr fs:[00000030h]6_2_015389B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015389B3 mov eax, dword ptr fs:[00000030h]6_2_015389B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B09AD mov eax, dword ptr fs:[00000030h]6_2_014B09AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B09AD mov eax, dword ptr fs:[00000030h]6_2_014B09AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C29A0 mov eax, dword ptr fs:[00000030h]6_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2840 mov ecx, dword ptr fs:[00000030h]6_2_014C2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4859 mov eax, dword ptr fs:[00000030h]6_2_014B4859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B4859 mov eax, dword ptr fs:[00000030h]6_2_014B4859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0854 mov eax, dword ptr fs:[00000030h]6_2_014E0854
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E872 mov eax, dword ptr fs:[00000030h]6_2_0153E872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E872 mov eax, dword ptr fs:[00000030h]6_2_0153E872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546870 mov eax, dword ptr fs:[00000030h]6_2_01546870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546870 mov eax, dword ptr fs:[00000030h]6_2_01546870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153C810 mov eax, dword ptr fs:[00000030h]6_2_0153C810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155483A mov eax, dword ptr fs:[00000030h]6_2_0155483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155483A mov eax, dword ptr fs:[00000030h]6_2_0155483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2835 mov eax, dword ptr fs:[00000030h]6_2_014D2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2835 mov eax, dword ptr fs:[00000030h]6_2_014D2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2835 mov eax, dword ptr fs:[00000030h]6_2_014D2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2835 mov ecx, dword ptr fs:[00000030h]6_2_014D2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2835 mov eax, dword ptr fs:[00000030h]6_2_014D2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2835 mov eax, dword ptr fs:[00000030h]6_2_014D2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA830 mov eax, dword ptr fs:[00000030h]6_2_014EA830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE8C0 mov eax, dword ptr fs:[00000030h]6_2_014DE8C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015808C0 mov eax, dword ptr fs:[00000030h]6_2_015808C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A8E4 mov eax, dword ptr fs:[00000030h]6_2_0157A8E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC8F9 mov eax, dword ptr fs:[00000030h]6_2_014EC8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC8F9 mov eax, dword ptr fs:[00000030h]6_2_014EC8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0887 mov eax, dword ptr fs:[00000030h]6_2_014B0887
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153C89D mov eax, dword ptr fs:[00000030h]6_2_0153C89D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB50 mov eax, dword ptr fs:[00000030h]6_2_0155EB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582B57 mov eax, dword ptr fs:[00000030h]6_2_01582B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582B57 mov eax, dword ptr fs:[00000030h]6_2_01582B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582B57 mov eax, dword ptr fs:[00000030h]6_2_01582B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582B57 mov eax, dword ptr fs:[00000030h]6_2_01582B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546B40 mov eax, dword ptr fs:[00000030h]6_2_01546B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546B40 mov eax, dword ptr fs:[00000030h]6_2_01546B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157AB40 mov eax, dword ptr fs:[00000030h]6_2_0157AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01558B42 mov eax, dword ptr fs:[00000030h]6_2_01558B42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014A8B50 mov eax, dword ptr fs:[00000030h]6_2_014A8B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564B4B mov eax, dword ptr fs:[00000030h]6_2_01564B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564B4B mov eax, dword ptr fs:[00000030h]6_2_01564B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014ACB7E mov eax, dword ptr fs:[00000030h]6_2_014ACB7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2B79 mov eax, dword ptr fs:[00000030h]6_2_014C2B79
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2B79 mov eax, dword ptr fs:[00000030h]6_2_014C2B79
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2B79 mov eax, dword ptr fs:[00000030h]6_2_014C2B79
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152EB1D mov eax, dword ptr fs:[00000030h]6_2_0152EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584B00 mov eax, dword ptr fs:[00000030h]6_2_01584B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DEB20 mov eax, dword ptr fs:[00000030h]6_2_014DEB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DEB20 mov eax, dword ptr fs:[00000030h]6_2_014DEB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01578B28 mov eax, dword ptr fs:[00000030h]6_2_01578B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01578B28 mov eax, dword ptr fs:[00000030h]6_2_01578B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EBD0 mov eax, dword ptr fs:[00000030h]6_2_0155EBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0BCD mov eax, dword ptr fs:[00000030h]6_2_014B0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0BCD mov eax, dword ptr fs:[00000030h]6_2_014B0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B0BCD mov eax, dword ptr fs:[00000030h]6_2_014B0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0BCB mov eax, dword ptr fs:[00000030h]6_2_014D0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0BCB mov eax, dword ptr fs:[00000030h]6_2_014D0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0BCB mov eax, dword ptr fs:[00000030h]6_2_014D0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153CBF0 mov eax, dword ptr fs:[00000030h]6_2_0153CBF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DEBFC mov eax, dword ptr fs:[00000030h]6_2_014DEBFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8BF0 mov eax, dword ptr fs:[00000030h]6_2_014B8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8BF0 mov eax, dword ptr fs:[00000030h]6_2_014B8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8BF0 mov eax, dword ptr fs:[00000030h]6_2_014B8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8BF0 mov ecx, dword ptr fs:[00000030h]6_2_014E8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8BF0 mov eax, dword ptr fs:[00000030h]6_2_014E8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8BF0 mov eax, dword ptr fs:[00000030h]6_2_014E8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564BB0 mov eax, dword ptr fs:[00000030h]6_2_01564BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564BB0 mov eax, dword ptr fs:[00000030h]6_2_01564BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0BBE mov eax, dword ptr fs:[00000030h]6_2_014C0BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0BBE mov eax, dword ptr fs:[00000030h]6_2_014C0BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0A5B mov eax, dword ptr fs:[00000030h]6_2_014C0A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0A5B mov eax, dword ptr fs:[00000030h]6_2_014C0A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B6A50 mov eax, dword ptr fs:[00000030h]6_2_014B6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0A50 mov eax, dword ptr fs:[00000030h]6_2_014E0A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152CA72 mov eax, dword ptr fs:[00000030h]6_2_0152CA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152CA72 mov eax, dword ptr fs:[00000030h]6_2_0152CA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014ECA6F mov eax, dword ptr fs:[00000030h]6_2_014ECA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014ECA6F mov eax, dword ptr fs:[00000030h]6_2_014ECA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014ECA6F mov eax, dword ptr fs:[00000030h]6_2_014ECA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EA60 mov eax, dword ptr fs:[00000030h]6_2_0155EA60
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe"
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x11DA4F2Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x11DA56C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x13DA4F2Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x13DA56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 2580
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: DA0000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 8A0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AFD008Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CD7008Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe"Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: explorer.exe, 00000007.00000002.4147899543.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1712665381.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.4147899543.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1711003957.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.4147368623.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1710692009.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000007.00000002.4147899543.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1711003957.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000002.4147899543.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1711003957.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Users\user\Desktop\HUEtVS3MQe.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeQueries volume information: C:\Users\user\AppData\Roaming\OEcHGGP.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\OEcHGGP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HUEtVS3MQe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		712
          Process Injection          		1
          Masquerading          		OS Credential Dumping321
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Abuse Elevation Control Mechanism          		41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		712
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials212
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567546 Sample: HUEtVS3MQe.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 55 www.eceriyayinlari.xyz 2->55 57 www.rogramdokpirdarmowy.today 2->57 59 11 other IPs or domains 2->59 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 11 other signatures 2->81 11 HUEtVS3MQe.exe 7 2->11         started        15 OEcHGGP.exe 5 2->15         started        signatures3 79 Performs DNS queries to domains with low reputation 55->79 process4 file5 47 C:\Users\user\AppData\Roaming\OEcHGGP.exe, PE32 11->47 dropped 49 C:\Users\user\...\OEcHGGP.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmp918E.tmp, XML 11->51 dropped 53 C:\Users\user\AppData\...\HUEtVS3MQe.exe.log, ASCII 11->53 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 11->91 93 Writes to foreign memory regions 11->93 95 Allocates memory in foreign processes 11->95 103 2 other signatures 11->103 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        97 Antivirus detection for dropped file 15->97 99 Multi AV Scanner detection for dropped file 15->99 101 Machine Learning detection for dropped file 15->101 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 17->61 63 Maps a DLL or memory area into another process 17->63 65 Sample uses process hollowing technique 17->65 71 2 other signatures 17->71 28 explorer.exe 61 1 17->28 injected 67 Loading BitLocker PowerShell Module 20->67 30 WmiPrvSE.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        69 Found direct / indirect Syscall (likely to bypass EDR) 24->69 36 conhost.exe 26->36         started        process9 process10 38 mstsc.exe 28->38         started        41 wlanext.exe 28->41         started        signatures11 83 Modifies the context of a thread in another process (thread injection) 38->83 85 Maps a DLL or memory area into another process 38->85 87 Tries to detect virtualization through RDTSC time measurements 38->87 89 Switches to a custom stack to bypass stack traces 38->89 43 cmd.exe 38->43         started        process12 process13 45 conhost.exe 43->45         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HUEtVS3MQe.exe74%ReversingLabsByteCode-MSIL.Backdoor.FormBook
          HUEtVS3MQe.exe100%AviraTR/AD.Swotter.bqqlz
          HUEtVS3MQe.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\OEcHGGP.exe100%AviraTR/AD.Swotter.bqqlz
          C:\Users\user\AppData\Roaming\OEcHGGP.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\OEcHGGP.exe74%ReversingLabsByteCode-MSIL.Backdoor.FormBook

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ilkool.infoReferer:0%Avira URL Cloudsafe
          http://www.ink-gluwty.onlineReferer:0%Avira URL Cloudsafe
          http://www.ixaahx.shop/gy15/0%Avira URL Cloudsafe
          http://www.ink-gluwty.online/gy15/www.hetinkerfoundation.net0%Avira URL Cloudsafe
          http://www.hetinkerfoundation.net/gy15/0%Avira URL Cloudsafe
          http://www.ahrump.homes0%Avira URL Cloudsafe
          http://www.hetinkerfoundation.net0%Avira URL Cloudsafe
          http://www.eceriyayinlari.xyz0%Avira URL Cloudsafe
          http://www.ighdd4675.online/gy15/www.eceriyayinlari.xyz0%Avira URL Cloudsafe
          http://www.ilkool.info/gy15/www.asposted.online0%Avira URL Cloudsafe
          http://www.ilkool.info0%Avira URL Cloudsafe
          http://www.18721.club/gy15/0%Avira URL Cloudsafe
          http://www.18721.clubReferer:0%Avira URL Cloudsafe
          http://www.hqaiop.xyz/gy15/www.ink-gluwty.online0%Avira URL Cloudsafe
          http://www.indow-replacement-46487.bondReferer:0%Avira URL Cloudsafe
          http://www.asposted.online/gy15/www.18721.club0%Avira URL Cloudsafe
          http://www.18721.club0%Avira URL Cloudsafe
          http://www.ahrump.homes/gy15/www.ixaahx.shop0%Avira URL Cloudsafe
          http://www.lennuser.shop/gy15/PZ0%Avira URL Cloudsafe
          http://www.hopbestdeals.online/gy15/0%Avira URL Cloudsafe
          http://www.sakkal.com00%Avira URL Cloudsafe
          http://www.etrot.proReferer:0%Avira URL Cloudsafe
          http://www.etrot.pro/gy15/0%Avira URL Cloudsafe
          http://www.ixaahx.shopReferer:0%Avira URL Cloudsafe
          http://www.hilohcreekpemf.onlineReferer:0%Avira URL Cloudsafe
          http://www.indow-replacement-46487.bond0%Avira URL Cloudsafe
          http://www.hilohcreekpemf.online/gy15/0%Avira URL Cloudsafe
          http://www.hilohcreekpemf.online/gy15/www.ilkool.info0%Avira URL Cloudsafe
          http://www.18721.club/gy15/www.rogramdokpirdarmowy.today0%Avira URL Cloudsafe
          http://www.ahrump.homes/gy15/0%Avira URL Cloudsafe
          http://www.ighdd4675.online/gy15/0%Avira URL Cloudsafe
          http://www.rogramdokpirdarmowy.today/gy15/0%Avira URL Cloudsafe
          http://www.ixaahx.shop0%Avira URL Cloudsafe
          http://www.hopbestdeals.online/gy15/www.etrot.pro0%Avira URL Cloudsafe
          http://www.ilkool.info/gy15/0%Avira URL Cloudsafe
          http://www.rogramdokpirdarmowy.today0%Avira URL Cloudsafe
          http://www.hopbestdeals.online0%Avira URL Cloudsafe
          http://www.eceriyayinlari.xyz/gy15/www.hopbestdeals.online0%Avira URL Cloudsafe
          http://www.rogramdokpirdarmowy.todayReferer:0%Avira URL Cloudsafe
          http://www.eceriyayinlari.xyzReferer:0%Avira URL Cloudsafe
          http://www.hetinkerfoundation.netReferer:0%Avira URL Cloudsafe
          http://www.ink-gluwty.online/gy15/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          gtml.huksa.huhusddfnsuegcdn.com
          		23.167.152.41
          		truefalse
            		high
            www.ink-gluwty.online
            		unknown
            		unknowntrue
              		unknown
              www.eceriyayinlari.xyz
              		unknown
              		unknowntrue
                		unknown
                www.ighdd4675.online
                		unknown
                		unknowntrue
                  		unknown
                  www.ilkool.info
                  		unknown
                  		unknowntrue
                    		unknown
                    www.asposted.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.hopbestdeals.online
                      		unknown
                      		unknowntrue
                        		unknown
                        www.indow-replacement-46487.bond
                        		unknown
                        		unknowntrue
                          		unknown
                          www.hilohcreekpemf.online
                          		unknown
                          		unknowntrue
                            		unknown
                            www.18721.club
                            		unknown
                            		unknowntrue
                              		unknown
                              www.rogramdokpirdarmowy.today
                              		unknown
                              		unknowntrue
                                		unknown
                                www.etrot.pro
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.asposted.online/gy15/false
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://aka.ms/odirmrexplorer.exe, 00000007.00000000.1713004813.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.hetinkerfoundation.net/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ink-gluwty.onlineReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ahrump.homesexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ilkool.infoReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114945730.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.ixaahx.shop/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designersHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://excel.office.comexplorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.ink-gluwty.online/gy15/www.hetinkerfoundation.netexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.hetinkerfoundation.netexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ilkool.info/gy15/www.asposted.onlineexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.eceriyayinlari.xyzexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ighdd4675.online/gy15/www.eceriyayinlari.xyzexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ilkool.infoexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sajatypeworks.comHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/cTheHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.18721.club/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/DPleaseHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.18721.clubexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000007.00000000.1727625421.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.urwpp.deDPleaseHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.zhongyicts.com.cnHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.hopbestdeals.online/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHUEtVS3MQe.exe, 00000000.00000002.1729022718.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, OEcHGGP.exe, 00000008.00000002.1770502721.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://wns.windows.com/Lexplorer.exe, 00000007.00000000.1727625421.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.hqaiop.xyz/gy15/www.ink-gluwty.onlineexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://word.office.comexplorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.18721.clubReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.asposted.online/gy15/www.18721.clubexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.ahrump.homes/gy15/www.ixaahx.shopexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.indow-replacement-46487.bondReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.micrexplorer.exe, 00000007.00000003.3107589395.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4160121391.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1727625421.000000000C9A5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.lennuser.shop/gy15/PZexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.carterandcone.comlHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.sakkal.com0HUEtVS3MQe.exe, 00000000.00000002.1732757357.0000000005794000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.fontbureau.com/designers/frere-user.htmlHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.etrot.pro/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.etrot.proReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.ixaahx.shopReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.hilohcreekpemf.onlineReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.indow-replacement-46487.bondexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000007.00000000.1713004813.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.18721.club/gy15/www.rogramdokpirdarmowy.todayexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.hilohcreekpemf.online/gy15/www.ilkool.infoexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.hilohcreekpemf.online/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://outlook.com_explorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.ahrump.homes/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.ighdd4675.online/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.rogramdokpirdarmowy.today/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.fontbureau.com/designersGHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.miexplorer.exe, 00000007.00000003.3107589395.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4160121391.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1727625421.000000000C9A5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.ixaahx.shopexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.fontbureau.com/designers/?HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.ilkool.info/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.founder.com.cn/cn/bTheHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.hqaiop.xyz/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.fontbureau.com/designers?HUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000007.00000002.4151272507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://powerpoint.office.comcemberexplorer.exe, 00000007.00000000.1727625421.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4158319210.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.hopbestdeals.online/gy15/www.etrot.proexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.tiro.comHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.rogramdokpirdarmowy.todayexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.goodfont.co.krHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.microexplorer.exe, 00000007.00000002.4153700221.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1722295597.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1716236899.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.rogramdokpirdarmowy.todayReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.hopbestdeals.onlineexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.asposted.onlineReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.eceriyayinlari.xyz/gy15/www.hopbestdeals.onlineexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.typography.netDHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.eceriyayinlari.xyzReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.galapagosdesign.com/staff/dennis.htmHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.hqaiop.xyzexplorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.hetinkerfoundation.netReferer:explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.ink-gluwty.online/gy15/explorer.exe, 00000007.00000002.4155725454.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108739929.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://api.msn.com/qexplorer.exe, 00000007.00000003.3114945730.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718444428.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154707016.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000007.00000000.1713004813.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151272507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.fonts.comHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.sandoll.co.krHUEtVS3MQe.exe, 00000000.00000002.1732965704.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      No contacted IP infos

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                      Analysis ID:1567546
                                                                                                                                                      Start date and time:2024-12-03 16:52:24 +01:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 12m 20s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Number of analysed new started processes analysed:19
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:1
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Sample name:HUEtVS3MQe.exe
                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                      Original Sample Name:f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6.exe
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.evad.winEXE@268/11@12/0
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 99%
                                                                                                                                                      • Number of executed functions: 119
                                                                                                                                                      • Number of non-executed functions: 323
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • VT rate limit hit for: HUEtVS3MQe.exe

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      10:53:17API Interceptor2x Sleep call for process: HUEtVS3MQe.exe modified
                                                                                                                                                      10:53:18API Interceptor16x Sleep call for process: powershell.exe modified
                                                                                                                                                      10:53:20API Interceptor2x Sleep call for process: OEcHGGP.exe modified
                                                                                                                                                      10:53:40API Interceptor6695390x Sleep call for process: explorer.exe modified
                                                                                                                                                      10:54:01API Interceptor6051923x Sleep call for process: mstsc.exe modified
                                                                                                                                                      15:53:19Task SchedulerRun new task: OEcHGGP path: C:\Users\user\AppData\Roaming\OEcHGGP.exe

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      gtml.huksa.huhusddfnsuegcdn.comA2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 23.167.152.41
                                                                                                                                                      Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 23.167.152.41
                                                                                                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 23.167.152.41
                                                                                                                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 23.167.152.41
                                                                                                                                                      rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 206.119.185.138
                                                                                                                                                      Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 206.119.185.141
                                                                                                                                                      Maryam Farokhi-PhD- CV-1403.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 23.167.152.41
                                                                                                                                                      NIlfETZ9aE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 206.119.185.226
                                                                                                                                                      s200ld6btf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 206.119.185.225
                                                                                                                                                      MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 206.119.185.225

                                                                                                                                                      ASNs

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HUEtVS3MQe.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\HUEtVS3MQe.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1216
                                                                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OEcHGGP.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\OEcHGGP.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1216
                                                                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2232
                                                                                                                                                      Entropy (8bit):5.379677338874509
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//Z8vUyus:tLHxvIIwLgZ2KRHWLOuggs
                                                                                                                                                      MD5:51E7E8593CF61FAEBFA2D6068856B984
                                                                                                                                                      SHA1:4A7A46C711A92CF80AA52EE6C202EEACB949AFE7
                                                                                                                                                      SHA-256:CA5FEF58059A737331B9F5A725A4F34D371E3C47EE652A1AE9AC6149C8E2D9C2
                                                                                                                                                      SHA-512:C5579A085022BCE7434976534D50DD5A716444E95ABE55372CA1E3DE6CE6F2B0481D3F38D599FAB57F53BDE0B25C63C2EB1A26EB3F62A65D40398D70A684DB05
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mfmgljr.aj1.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smk2k0ur.1bm.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v03v5yrs.kic.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wizyes1w.ifk.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\tmp918E.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\HUEtVS3MQe.exe
                                                                                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1573
                                                                                                                                                      Entropy (8bit):5.110193788624158
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaExvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjv
                                                                                                                                                      MD5:4E9CBDDEB999C4CA1EB9121F3DBD672F
                                                                                                                                                      SHA1:F4810A734698E86E4D3F4506CFFCF729D20F831F
                                                                                                                                                      SHA-256:46BFEC4CD4A28049CDFCB8D36576636199043F0753523182FD4686679AE48B8D
                                                                                                                                                      SHA-512:8286C442A54E4B79151B40C23FC1EE2DED3064A21A7DB480C0A0C5B0B972102EBD5A211C37E2EA7740679615394BA06B3BDA673B8F2957CA66C87D2E70B53CDE
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\OEcHGGP.exe
                                                                                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1573
                                                                                                                                                      Entropy (8bit):5.110193788624158
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaExvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjv
                                                                                                                                                      MD5:4E9CBDDEB999C4CA1EB9121F3DBD672F
                                                                                                                                                      SHA1:F4810A734698E86E4D3F4506CFFCF729D20F831F
                                                                                                                                                      SHA-256:46BFEC4CD4A28049CDFCB8D36576636199043F0753523182FD4686679AE48B8D
                                                                                                                                                      SHA-512:8286C442A54E4B79151B40C23FC1EE2DED3064A21A7DB480C0A0C5B0B972102EBD5A211C37E2EA7740679615394BA06B3BDA673B8F2957CA66C87D2E70B53CDE
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                      C:\Users\user\AppData\Roaming\OEcHGGP.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\HUEtVS3MQe.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):598016
                                                                                                                                                      Entropy (8bit):7.828517397838106
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:VndZauZt06GQyWgYOsmLzFcWMphB2/VawLTl761wXK7WqpyK:5dZauZtP1VOsmLJcWMphQrHg870yK
                                                                                                                                                      MD5:45209596CE41C4359E9006A940042763
                                                                                                                                                      SHA1:8559B5A187EE146A869301E5C0FB23A5C4510772
                                                                                                                                                      SHA-256:F228AF74ECF7302BB5E8D9CE8060A9AA3FC2BD583BD477E23543452CF1CEBAD6
                                                                                                                                                      SHA-512:16828ED08E983B6FC1FCE972CCFCEA10DD0DCCBF67602557B7071802D0F01E4754A63284EA05A9798CF7C8784D663DDC9D51FD601FE6F7B4407714B6BC3B1C39
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..............'... ...@....@.. ....................................`.................................h'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......8?...9......@....y..h...........................................V.(.......s....o.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..s6...}......}.....(.......(*....*&..(.....*....0..@.........{.....{....o;...(...+o ...

                                                                                                                                                      C:\Users\user\AppData\Roaming\OEcHGGP.exe:Zone.Identifier

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\HUEtVS3MQe.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):26
                                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Entropy (8bit):7.828517397838106
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                      File name:HUEtVS3MQe.exe
                                                                                                                                                      File size:598'016 bytes
                                                                                                                                                      MD5:45209596ce41c4359e9006a940042763
                                                                                                                                                      SHA1:8559b5a187ee146a869301e5c0fb23a5c4510772
                                                                                                                                                      SHA256:f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6
                                                                                                                                                      SHA512:16828ed08e983b6fc1fce972ccfcea10dd0dccbf67602557b7071802d0f01e4754a63284ea05a9798cf7c8784d663ddc9d51fd601fe6f7b4407714b6bc3b1c39
                                                                                                                                                      SSDEEP:12288:VndZauZt06GQyWgYOsmLzFcWMphB2/VawLTl761wXK7WqpyK:5dZauZtP1VOsmLJcWMphQrHg870yK
                                                                                                                                                      TLSH:D8D412A4A66AEC21D1A207F64931EBF70B342FCDE411D3098EFEECE7B6097511994391
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..............'... ...@....@.. ....................................`................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:01242c66198d8d9e

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x4927ba
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                      Time Stamp:0x6707ECEE [Thu Oct 10 15:04:14 2024 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x927680x4f.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x13a0.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x20000x907c00x90800d7c025aeb63288d2d24a17efd5b40d89False0.9248722696799307data7.83719992294818IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x940000x13a00x1400688288048db1cf098f11a1f4a79d8f18False0.7779296875data7.025557933868036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x960000xc0x200e5c46563253b75df89b63b14847a223bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                      RT_ICON0x940c80xf91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8936010037641154
                                                                                                                                                      RT_GROUP_ICON0x9506c0x14data1.05
                                                                                                                                                      RT_VERSION0x950900x30cdata0.42948717948717946

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                      Network Behavior

                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                      2024-12-03T16:56:19.622146+01002849429ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577)11.1.1.153192.168.2.462268UDP
                                                                                                                                                      2024-12-03T16:56:42.094355+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.45000723.167.152.4180TCP
                                                                                                                                                      2024-12-03T16:56:42.094355+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.45000723.167.152.4180TCP
                                                                                                                                                      2024-12-03T16:56:42.094355+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.45000723.167.152.4180TCP

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Dec 3, 2024 16:53:55.243468046 CET5523353192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:53:55.469513893 CET53552331.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:54:15.211508036 CET6079753192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:54:15.439786911 CET53607971.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:54:35.352004051 CET6018053192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:54:35.584692001 CET53601801.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:54:55.883760929 CET5045953192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:54:56.200272083 CET53504591.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:55:16.496018887 CET5320353192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:55:16.741729975 CET53532031.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:55:37.836639881 CET6188753192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:55:38.068619013 CET53618871.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:55:58.930275917 CET4990753192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:55:59.281007051 CET53499071.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:56:19.383704901 CET6226853192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:56:19.622145891 CET53622681.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:56:39.809314966 CET5190953192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:56:40.804702044 CET5190953192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:56:41.058034897 CET53519091.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:56:41.455374956 CET53519091.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:57:00.574377060 CET6482453192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:57:01.024315119 CET53648241.1.1.1192.168.2.4
                                                                                                                                                      Dec 3, 2024 16:57:42.570851088 CET5442853192.168.2.41.1.1.1
                                                                                                                                                      Dec 3, 2024 16:57:42.792903900 CET53544281.1.1.1192.168.2.4

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                      Dec 3, 2024 16:53:55.243468046 CET192.168.2.41.1.1.10xad6Standard query (0)www.indow-replacement-46487.bondA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:54:15.211508036 CET192.168.2.41.1.1.10xeb40Standard query (0)www.ighdd4675.onlineA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:54:35.352004051 CET192.168.2.41.1.1.10x8474Standard query (0)www.eceriyayinlari.xyzA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:54:55.883760929 CET192.168.2.41.1.1.10x8573Standard query (0)www.hopbestdeals.onlineA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:55:16.496018887 CET192.168.2.41.1.1.10xeaf2Standard query (0)www.etrot.proA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:55:37.836639881 CET192.168.2.41.1.1.10xc92fStandard query (0)www.hilohcreekpemf.onlineA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:55:58.930275917 CET192.168.2.41.1.1.10x7a3eStandard query (0)www.ilkool.infoA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:19.383704901 CET192.168.2.41.1.1.10x238Standard query (0)www.asposted.onlineA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:39.809314966 CET192.168.2.41.1.1.10x1662Standard query (0)www.18721.clubA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:40.804702044 CET192.168.2.41.1.1.10x1662Standard query (0)www.18721.clubA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:57:00.574377060 CET192.168.2.41.1.1.10x190Standard query (0)www.rogramdokpirdarmowy.todayA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:57:42.570851088 CET192.168.2.41.1.1.10xfdb5Standard query (0)www.ink-gluwty.onlineA (IP address)IN (0x0001)false

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                      Dec 3, 2024 16:53:55.469513893 CET1.1.1.1192.168.2.40xad6Name error (3)www.indow-replacement-46487.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:54:15.439786911 CET1.1.1.1192.168.2.40xeb40Name error (3)www.ighdd4675.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:54:35.584692001 CET1.1.1.1192.168.2.40x8474Name error (3)www.eceriyayinlari.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:54:56.200272083 CET1.1.1.1192.168.2.40x8573Name error (3)www.hopbestdeals.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:55:16.741729975 CET1.1.1.1192.168.2.40xeaf2Name error (3)www.etrot.prononenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:55:38.068619013 CET1.1.1.1192.168.2.40xc92fName error (3)www.hilohcreekpemf.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:55:59.281007051 CET1.1.1.1192.168.2.40x7a3eName error (3)www.ilkool.infononenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:19.622145891 CET1.1.1.1192.168.2.40x238Name error (3)www.asposted.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:41.058034897 CET1.1.1.1192.168.2.40x1662No error (0)www.18721.clubsjidfped.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:41.058034897 CET1.1.1.1192.168.2.40x1662No error (0)sjidfped.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:41.058034897 CET1.1.1.1192.168.2.40x1662No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:41.455374956 CET1.1.1.1192.168.2.40x1662No error (0)www.18721.clubsjidfped.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:41.455374956 CET1.1.1.1192.168.2.40x1662No error (0)sjidfped.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:56:41.455374956 CET1.1.1.1192.168.2.40x1662No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:57:01.024315119 CET1.1.1.1192.168.2.40x190Name error (3)www.rogramdokpirdarmowy.todaynonenoneA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 3, 2024 16:57:42.792903900 CET1.1.1.1192.168.2.40xfdb5Name error (3)www.ink-gluwty.onlinenonenoneA (IP address)IN (0x0001)false

                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:10:53:16
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\HUEtVS3MQe.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\HUEtVS3MQe.exe"
                                                                                                                                                      Imagebase:0xa80000
                                                                                                                                                      File size:598'016 bytes
                                                                                                                                                      MD5 hash:45209596CE41C4359E9006A940042763
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1729771264.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:2
                                                                                                                                                      Start time:10:53:18
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OEcHGGP.exe"
                                                                                                                                                      Imagebase:0x590000
                                                                                                                                                      File size:433'152 bytes
                                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:3
                                                                                                                                                      Start time:10:53:18
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:4
                                                                                                                                                      Start time:10:53:18
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp918E.tmp"
                                                                                                                                                      Imagebase:0xb0000
                                                                                                                                                      File size:187'904 bytes
                                                                                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:5
                                                                                                                                                      Start time:10:53:18
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:6
                                                                                                                                                      Start time:10:53:18
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                      Imagebase:0x9b0000
                                                                                                                                                      File size:45'984 bytes
                                                                                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:7
                                                                                                                                                      Start time:10:53:18
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                      Imagebase:0x7ff72b770000
                                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4161736928.000000000E6AC000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:false

                                                                                                                                                      General

                                                                                                                                                      Target ID:8
                                                                                                                                                      Start time:10:53:19
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Users\user\AppData\Roaming\OEcHGGP.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\OEcHGGP.exe
                                                                                                                                                      Imagebase:0x20000
                                                                                                                                                      File size:598'016 bytes
                                                                                                                                                      MD5 hash:45209596CE41C4359E9006A940042763
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1773250209.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      • Detection: 74%, ReversingLabs
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:9
                                                                                                                                                      Start time:10:53:20
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                      Imagebase:0x7ff693ab0000
                                                                                                                                                      File size:496'640 bytes
                                                                                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:false

                                                                                                                                                      General

                                                                                                                                                      Target ID:10
                                                                                                                                                      Start time:10:53:21
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OEcHGGP" /XML "C:\Users\user\AppData\Local\Temp\tmp9CE8.tmp"
                                                                                                                                                      Imagebase:0xb0000
                                                                                                                                                      File size:187'904 bytes
                                                                                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:11
                                                                                                                                                      Start time:10:53:21
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:12
                                                                                                                                                      Start time:10:53:21
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                      Imagebase:0xbc0000
                                                                                                                                                      File size:45'984 bytes
                                                                                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:13
                                                                                                                                                      Start time:10:53:22
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\mstsc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                                                                                                                                      Imagebase:0x8a0000
                                                                                                                                                      File size:1'264'640 bytes
                                                                                                                                                      MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4147785372.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4147716932.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4147191859.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Has exited:false

                                                                                                                                                      General

                                                                                                                                                      Target ID:14
                                                                                                                                                      Start time:10:53:22
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\SysWOW64\wlanext.exe"
                                                                                                                                                      Imagebase:0xda0000
                                                                                                                                                      File size:78'336 bytes
                                                                                                                                                      MD5 hash:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1780647749.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:15
                                                                                                                                                      Start time:10:53:25
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                      Imagebase:0x240000
                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:16
                                                                                                                                                      Start time:10:53:25
                                                                                                                                                      Start date:03/12/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      Disassembly

                                                                                                                                                      Reset < >

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:12.2%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                        Total number of Nodes:305
                                                                                                                                                        Total number of Limit Nodes:6
                                                                                                                                                        execution_graph 36645 2c0d040 36646 2c0d086 36645->36646 36650 2c0d618 36646->36650 36654 2c0d628 36646->36654 36647 2c0d173 36651 2c0d628 36650->36651 36657 2c0d27c 36651->36657 36655 2c0d27c DuplicateHandle 36654->36655 36656 2c0d656 36655->36656 36656->36647 36658 2c0d690 DuplicateHandle 36657->36658 36659 2c0d656 36658->36659 36659->36647 36765 78d8e1e 36766 78d8e10 36765->36766 36767 78d8e16 36766->36767 36769 78d8f60 36766->36769 36770 78d8ef5 36769->36770 36772 78d8f67 36769->36772 36773 78d8f01 PostMessageW 36770->36773 36772->36772 36773->36769 36848 2c04668 36849 2c0467a 36848->36849 36850 2c04686 36849->36850 36854 2c04779 36849->36854 36859 2c03e34 36850->36859 36852 2c046a5 36855 2c0479d 36854->36855 36863 2c04888 36855->36863 36867 2c04879 36855->36867 36860 2c03e3f 36859->36860 36875 2c05c44 36860->36875 36862 2c06fe0 36862->36852 36865 2c048af 36863->36865 36864 2c0498c 36864->36864 36865->36864 36871 2c044b4 36865->36871 36868 2c04888 36867->36868 36869 2c0498c 36868->36869 36870 2c044b4 CreateActCtxA 36868->36870 36870->36869 36872 2c05918 CreateActCtxA 36871->36872 36874 2c059db 36872->36874 36876 2c05c4f 36875->36876 36879 2c05c64 36876->36879 36878 2c070ed 36878->36862 36880 2c05c6f 36879->36880 36883 2c05c94 36880->36883 36882 2c071c2 36882->36878 36884 2c05c9f 36883->36884 36885 2c05cc4 3 API calls 36884->36885 36886 2c072c5 36885->36886 36886->36882 36660 53a75f0 36661 53a761d 36660->36661 36664 53a6af8 36661->36664 36663 53a767f 36665 53a6b03 36664->36665 36666 53a98ea 36665->36666 36669 2c05cc4 36665->36669 36676 2c08308 36665->36676 36666->36663 36670 2c05ccf 36669->36670 36672 2c085cb 36670->36672 36683 2c0ac78 36670->36683 36671 2c08609 36671->36666 36672->36671 36687 2c0cd78 36672->36687 36692 2c0cd68 36672->36692 36677 2c0830b 36676->36677 36679 2c085cb 36677->36679 36680 2c0ac78 GetModuleHandleW 36677->36680 36678 2c08609 36678->36666 36679->36678 36681 2c0cd68 3 API calls 36679->36681 36682 2c0cd78 3 API calls 36679->36682 36680->36679 36681->36678 36682->36678 36697 2c0aca0 36683->36697 36700 2c0acb0 36683->36700 36684 2c0ac8e 36684->36672 36688 2c0cd99 36687->36688 36689 2c0cdbd 36688->36689 36708 2c0cf28 36688->36708 36712 2c0cf19 36688->36712 36689->36671 36693 2c0cd99 36692->36693 36694 2c0cdbd 36693->36694 36695 2c0cf28 3 API calls 36693->36695 36696 2c0cf19 3 API calls 36693->36696 36694->36671 36695->36694 36696->36694 36703 2c0ada8 36697->36703 36698 2c0acbf 36698->36684 36701 2c0acbf 36700->36701 36702 2c0ada8 GetModuleHandleW 36700->36702 36701->36684 36702->36701 36704 2c0addc 36703->36704 36705 2c0adb9 36703->36705 36704->36698 36705->36704 36706 2c0afe0 GetModuleHandleW 36705->36706 36707 2c0b00d 36706->36707 36707->36698 36709 2c0cf35 36708->36709 36711 2c0cf6f 36709->36711 36716 2c0bae0 36709->36716 36711->36689 36713 2c0cf28 36712->36713 36714 2c0bae0 3 API calls 36713->36714 36715 2c0cf6f 36713->36715 36714->36715 36715->36689 36717 2c0baeb 36716->36717 36719 2c0dc88 36717->36719 36720 2c0d2dc 36717->36720 36719->36719 36721 2c0d2e7 36720->36721 36722 2c05cc4 3 API calls 36721->36722 36723 2c0dcf7 36722->36723 36727 2c0fa88 36723->36727 36733 2c0fa70 36723->36733 36724 2c0dd31 36724->36719 36729 2c0fab9 36727->36729 36730 2c0fbb9 36727->36730 36728 2c0fac5 36728->36724 36729->36728 36738 53a09b0 36729->36738 36743 53a09c0 36729->36743 36730->36724 36735 2c0fa88 36733->36735 36734 2c0fac5 36734->36724 36735->36734 36736 53a09b0 2 API calls 36735->36736 36737 53a09c0 2 API calls 36735->36737 36736->36734 36737->36734 36739 53a09eb 36738->36739 36740 53a0a9a 36739->36740 36748 53a18a0 36739->36748 36752 53a1890 36739->36752 36745 53a09eb 36743->36745 36744 53a0a9a 36745->36744 36746 53a18a0 2 API calls 36745->36746 36747 53a1890 2 API calls 36745->36747 36746->36744 36747->36744 36757 53a18f0 36748->36757 36761 53a18e4 36748->36761 36753 53a18a0 36752->36753 36755 53a18f0 CreateWindowExW 36753->36755 36756 53a18e4 CreateWindowExW 36753->36756 36754 53a18d5 36754->36740 36755->36754 36756->36754 36758 53a1958 CreateWindowExW 36757->36758 36760 53a1a14 36758->36760 36762 53a18f0 CreateWindowExW 36761->36762 36764 53a1a14 36762->36764 36887 78d4ca6 36888 78d4cdb 36887->36888 36889 78d4c31 36887->36889 36892 78d7ab8 36888->36892 36909 78d7ac8 36888->36909 36889->36889 36893 78d7ae2 36892->36893 36926 78d84ec 36893->36926 36931 78d82ed 36893->36931 36936 78d89b3 36893->36936 36940 78d84b3 36893->36940 36944 78d8411 36893->36944 36948 78d7f34 36893->36948 36953 78d8455 36893->36953 36958 78d7ffb 36893->36958 36964 78d8722 36893->36964 36969 78d8003 36893->36969 36974 78d81e6 36893->36974 36979 78d83c4 36893->36979 36985 78d7f8e 36893->36985 36990 78d822f 36893->36990 36894 78d7b06 36894->36889 36910 78d7ae2 36909->36910 36912 78d82ed 2 API calls 36910->36912 36913 78d84ec 2 API calls 36910->36913 36914 78d822f 2 API calls 36910->36914 36915 78d7f8e 2 API calls 36910->36915 36916 78d83c4 2 API calls 36910->36916 36917 78d81e6 2 API calls 36910->36917 36918 78d8003 2 API calls 36910->36918 36919 78d8722 2 API calls 36910->36919 36920 78d7ffb 2 API calls 36910->36920 36921 78d8455 2 API calls 36910->36921 36922 78d7f34 2 API calls 36910->36922 36923 78d8411 2 API calls 36910->36923 36924 78d84b3 2 API calls 36910->36924 36925 78d89b3 2 API calls 36910->36925 36911 78d7b06 36911->36889 36912->36911 36913->36911 36914->36911 36915->36911 36916->36911 36917->36911 36918->36911 36919->36911 36920->36911 36921->36911 36922->36911 36923->36911 36924->36911 36925->36911 36927 78d84f2 36926->36927 36994 78d4598 36927->36994 36998 78d4591 36927->36998 36928 78d8454 36932 78d82fa 36931->36932 37002 78d3ad8 36932->37002 37006 78d3ae0 36932->37006 36933 78d8493 37010 78d3b88 36936->37010 37014 78d3b90 36936->37014 36937 78d89cd 36942 78d3b88 Wow64SetThreadContext 36940->36942 36943 78d3b90 Wow64SetThreadContext 36940->36943 36941 78d84cd 36942->36941 36943->36941 36946 78d4598 WriteProcessMemory 36944->36946 36947 78d4591 WriteProcessMemory 36944->36947 36945 78d83a7 36945->36894 36946->36945 36947->36945 36949 78d7f85 36948->36949 37018 78d4819 36949->37018 37022 78d4820 36949->37022 36954 78d847e 36953->36954 36956 78d3ad8 ResumeThread 36954->36956 36957 78d3ae0 ResumeThread 36954->36957 36955 78d8493 36956->36955 36957->36955 36959 78d7f72 36958->36959 36960 78d7f6a 36959->36960 36962 78d4819 CreateProcessA 36959->36962 36963 78d4820 CreateProcessA 36959->36963 36960->36894 36961 78d805b 36961->36894 36962->36961 36963->36961 36965 78d8503 36964->36965 36966 78d8454 36964->36966 36967 78d4598 WriteProcessMemory 36965->36967 36968 78d4591 WriteProcessMemory 36965->36968 36967->36966 36968->36966 36970 78d7f4f 36969->36970 36972 78d4819 CreateProcessA 36970->36972 36973 78d4820 CreateProcessA 36970->36973 36971 78d805b 36971->36894 36972->36971 36973->36971 36975 78d81ec 36974->36975 37026 78d4688 36975->37026 37030 78d4686 36975->37030 36976 78d820f 36976->36894 36980 78d83ca 36979->36980 36982 78d8083 36980->36982 37034 78d44d8 36980->37034 37038 78d44d0 36980->37038 36981 78d83e9 36981->36894 36982->36894 36986 78d7fab 36985->36986 36988 78d4819 CreateProcessA 36986->36988 36989 78d4820 CreateProcessA 36986->36989 36987 78d805b 36987->36894 36988->36987 36989->36987 36992 78d4598 WriteProcessMemory 36990->36992 36993 78d4591 WriteProcessMemory 36990->36993 36991 78d8177 36991->36894 36992->36991 36993->36991 36995 78d45e0 WriteProcessMemory 36994->36995 36997 78d4637 36995->36997 36997->36928 36999 78d4598 WriteProcessMemory 36998->36999 37001 78d4637 36999->37001 37001->36928 37003 78d3ae0 ResumeThread 37002->37003 37005 78d3b51 37003->37005 37005->36933 37007 78d3b20 ResumeThread 37006->37007 37009 78d3b51 37007->37009 37009->36933 37011 78d3bd5 Wow64SetThreadContext 37010->37011 37013 78d3c1d 37011->37013 37013->36937 37015 78d3bd5 Wow64SetThreadContext 37014->37015 37017 78d3c1d 37015->37017 37017->36937 37019 78d481f CreateProcessA 37018->37019 37021 78d4a6b 37019->37021 37021->37021 37023 78d4883 CreateProcessA 37022->37023 37025 78d4a6b 37023->37025 37025->37025 37027 78d46d3 ReadProcessMemory 37026->37027 37029 78d4717 37027->37029 37029->36976 37031 78d4688 ReadProcessMemory 37030->37031 37033 78d4717 37031->37033 37033->36976 37035 78d4518 VirtualAllocEx 37034->37035 37037 78d4555 37035->37037 37037->36981 37039 78d4518 VirtualAllocEx 37038->37039 37041 78d4555 37039->37041 37041->36981 36774 140d01c 36775 140d034 36774->36775 36776 140d08e 36775->36776 36781 53a1aa8 36775->36781 36786 53a1a97 36775->36786 36791 53a2808 36775->36791 36796 53a2818 36775->36796 36782 53a1ace 36781->36782 36784 53a2818 2 API calls 36782->36784 36785 53a2808 2 API calls 36782->36785 36783 53a1aef 36783->36776 36784->36783 36785->36783 36787 53a1aa8 36786->36787 36789 53a2818 2 API calls 36787->36789 36790 53a2808 2 API calls 36787->36790 36788 53a1aef 36788->36776 36789->36788 36790->36788 36792 53a280d 36791->36792 36793 53a2877 36792->36793 36801 53a29a0 36792->36801 36806 53a2990 36792->36806 36797 53a2845 36796->36797 36798 53a2877 36797->36798 36799 53a29a0 2 API calls 36797->36799 36800 53a2990 2 API calls 36797->36800 36799->36798 36800->36798 36803 53a29b4 36801->36803 36802 53a2a40 36802->36793 36811 53a2a58 36803->36811 36815 53a2a48 36803->36815 36808 53a29b4 36806->36808 36807 53a2a40 36807->36793 36809 53a2a58 2 API calls 36808->36809 36810 53a2a48 2 API calls 36808->36810 36809->36807 36810->36807 36813 53a2a69 36811->36813 36820 53a3fe8 36811->36820 36825 53a3f54 36811->36825 36813->36802 36816 53a2a58 36815->36816 36817 53a2a69 36816->36817 36818 53a3fe8 2 API calls 36816->36818 36819 53a3f54 2 API calls 36816->36819 36817->36802 36818->36817 36819->36817 36821 53a3ff4 36820->36821 36821->36813 36830 53a4030 36821->36830 36834 53a4040 36821->36834 36822 53a402a 36822->36813 36826 53a3f86 36825->36826 36826->36813 36828 53a4030 CallWindowProcW 36826->36828 36829 53a4040 CallWindowProcW 36826->36829 36827 53a402a 36827->36813 36828->36827 36829->36827 36831 53a4040 36830->36831 36832 53a40da CallWindowProcW 36831->36832 36833 53a4089 36831->36833 36832->36833 36833->36822 36835 53a4082 36834->36835 36837 53a4089 36834->36837 36836 53a40da CallWindowProcW 36835->36836 36835->36837 36836->36837 36837->36822 36838 78d8c50 36840 78d8ddb 36838->36840 36842 78d8c76 36838->36842 36839 78d8e16 36840->36839 36843 78d8f60 PostMessageW 36840->36843 36842->36840 36844 78d5628 36842->36844 36843->36839 36845 78d8ed0 PostMessageW 36844->36845 36847 78d8f33 36845->36847 36847->36842 37042 75607f8 37043 7563438 CreateIconFromResourceEx 37042->37043 37044 75634b6 37043->37044

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 075607B0 Relevance: 6.9, Strings: 5, Instructions: 618COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 294 75607b0-7562ae8 297 7562aee-7562af3 294->297 298 7562fcb-7563034 294->298 297->298 299 7562af9-7562b16 297->299 306 756303b-75630c3 298->306 305 7562b1c-7562b20 299->305 299->306 307 7562b22-7562b2c call 75607c0 305->307 308 7562b2f-7562b33 305->308 350 75630ce-756314e 306->350 307->308 311 7562b35-7562b3f call 75607c0 308->311 312 7562b42-7562b49 308->312 311->312 316 7562c64-7562c69 312->316 317 7562b4f-7562b7f 312->317 321 7562c71-7562c76 316->321 322 7562c6b-7562c6f 316->322 326 7562b85-7562c58 call 75607cc * 2 317->326 327 756334e-7563374 317->327 325 7562c88-7562cb8 call 75607d8 * 3 321->325 322->321 324 7562c78-7562c7c 322->324 324->327 331 7562c82-7562c85 324->331 325->350 351 7562cbe-7562cc1 325->351 326->316 358 7562c5a 326->358 339 7563376-7563382 327->339 340 7563384 327->340 331->325 344 7563387-756338c 339->344 340->344 365 7563155-75631d7 350->365 351->350 353 7562cc7-7562cc9 351->353 353->350 356 7562ccf-7562d04 353->356 356->365 366 7562d0a-7562d13 356->366 358->316 373 75631df-7563261 365->373 368 7562e76-7562e7a 366->368 369 7562d19-7562d73 call 75607d8 * 2 call 75607e8 * 2 366->369 372 7562e80-7562e84 368->372 368->373 413 7562d85 369->413 414 7562d75-7562d7e 369->414 376 7562e8a-7562e90 372->376 377 7563269-7563296 372->377 373->377 381 7562e94-7562ec9 376->381 382 7562e92 376->382 390 756329d-756331d 377->390 383 7562ed0-7562ed6 381->383 382->383 389 7562edc-7562ee4 383->389 383->390 395 7562ee6-7562eea 389->395 396 7562eeb-7562eed 389->396 446 7563324-7563346 390->446 395->396 402 7562f4f-7562f55 396->402 403 7562eef-7562f13 396->403 408 7562f57-7562f72 402->408 409 7562f74-7562fa2 402->409 431 7562f15-7562f1a 403->431 432 7562f1c-7562f20 403->432 429 7562faa-7562fb6 408->429 409->429 419 7562d89-7562d8b 413->419 418 7562d80-7562d83 414->418 414->419 418->419 427 7562d92-7562d96 419->427 428 7562d8d 419->428 433 7562da4-7562daa 427->433 434 7562d98-7562d9f 427->434 428->427 429->446 447 7562fbc-7562fc8 429->447 438 7562f2c-7562f3d 431->438 432->327 439 7562f26-7562f29 432->439 435 7562db4-7562db9 433->435 436 7562dac-7562db2 433->436 443 7562e41-7562e45 434->443 444 7562dbf-7562dc5 435->444 436->444 455 7562f45-7562f4d 438->455 439->438 448 7562e47-7562e61 443->448 449 7562e64-7562e70 443->449 451 7562dc7-7562dc9 444->451 452 7562dcb-7562dd0 444->452 446->327 448->449 449->368 449->369 458 7562dd2-7562de4 451->458 452->458 455->429 464 7562de6-7562dec 458->464 465 7562dee-7562df3 458->465 466 7562df9-7562e00 464->466 465->466 471 7562e06 466->471 472 7562e02-7562e04 466->472 473 7562e0b-7562e16 471->473 472->473 475 7562e3a 473->475 476 7562e18-7562e1b 473->476 475->443 476->443 478 7562e1d-7562e23 476->478 479 7562e25-7562e28 478->479 480 7562e2a-7562e33 478->480 479->475 479->480 480->443 482 7562e35-7562e38 480->482 482->443 482->475
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1734787568.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1734734493.0000000007550000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7550000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: Hhq$Hhq$Hhq$Hhq$Hhq
                                                                                                                                                        • API String ID: 0-1427472961
                                                                                                                                                        • Opcode ID: 867932c2b456737733adfb2d045f6f69eedd0a6dc7aa6b367e48933b64c06b76
                                                                                                                                                        • Instruction ID: 58a77f7653cad7ba5e4f02b8c4c4c77a9438a1d2314e2f5e7f234e8921d274b7
                                                                                                                                                        • Opcode Fuzzy Hash: 867932c2b456737733adfb2d045f6f69eedd0a6dc7aa6b367e48933b64c06b76
                                                                                                                                                        • Instruction Fuzzy Hash: DA3261B1A002198FDB54DFA8C4947AEBBF2BF84300F14856AD509AB395DF349D86CF51
                                                                                                                                                        Function 078DA2C0 Relevance: .6, Instructions: 608COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1f3342715e20d9e7796b3e69bb0902efd59c1cc57d85712773ccc7148cd4eb62
                                                                                                                                                        • Instruction ID: 942c62b364f870ac94599706c0bdf63e53955d6b232927f6da479eacda75eca8
                                                                                                                                                        • Opcode Fuzzy Hash: 1f3342715e20d9e7796b3e69bb0902efd59c1cc57d85712773ccc7148cd4eb62
                                                                                                                                                        • Instruction Fuzzy Hash: FB3278B1B012059FDB19DFA9C594BAEB7F6AF89300F248469E506DB390CB35ED01CB52
                                                                                                                                                        Function 078D4819 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1381 78d4819-78d481d 1382 78d481f-78d487e 1381->1382 1383 78d4883-78d48b5 1381->1383 1382->1383 1386 78d48ee-78d490e 1383->1386 1387 78d48b7-78d48c1 1383->1387 1392 78d4947-78d4976 1386->1392 1393 78d4910-78d491a 1386->1393 1387->1386 1388 78d48c3-78d48c5 1387->1388 1390 78d48e8-78d48eb 1388->1390 1391 78d48c7-78d48d1 1388->1391 1390->1386 1394 78d48d5-78d48e4 1391->1394 1395 78d48d3 1391->1395 1403 78d49af-78d4a69 CreateProcessA 1392->1403 1404 78d4978-78d4982 1392->1404 1393->1392 1396 78d491c-78d491e 1393->1396 1394->1394 1397 78d48e6 1394->1397 1395->1394 1398 78d4941-78d4944 1396->1398 1399 78d4920-78d492a 1396->1399 1397->1390 1398->1392 1401 78d492c 1399->1401 1402 78d492e-78d493d 1399->1402 1401->1402 1402->1402 1405 78d493f 1402->1405 1415 78d4a6b-78d4a71 1403->1415 1416 78d4a72-78d4af8 1403->1416 1404->1403 1406 78d4984-78d4986 1404->1406 1405->1398 1407 78d49a9-78d49ac 1406->1407 1408 78d4988-78d4992 1406->1408 1407->1403 1410 78d4994 1408->1410 1411 78d4996-78d49a5 1408->1411 1410->1411 1411->1411 1412 78d49a7 1411->1412 1412->1407 1415->1416 1426 78d4b08-78d4b0c 1416->1426 1427 78d4afa-78d4afe 1416->1427 1428 78d4b1c-78d4b20 1426->1428 1429 78d4b0e-78d4b12 1426->1429 1427->1426 1430 78d4b00 1427->1430 1432 78d4b30-78d4b34 1428->1432 1433 78d4b22-78d4b26 1428->1433 1429->1428 1431 78d4b14 1429->1431 1430->1426 1431->1428 1435 78d4b46-78d4b4d 1432->1435 1436 78d4b36-78d4b3c 1432->1436 1433->1432 1434 78d4b28 1433->1434 1434->1432 1437 78d4b4f-78d4b5e 1435->1437 1438 78d4b64 1435->1438 1436->1435 1437->1438 1439 78d4b65 1438->1439 1439->1439
                                                                                                                                                        APIs
                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078D4A56
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                        • Opcode ID: d90bb29e6f3d9cf45ceae8ba6290aa2979a166b92a1fe06ab3b4a8dae274e8d9
                                                                                                                                                        • Instruction ID: 1feab926ed91864834fd4dd584223e89e14d6b0dded416c4c5ea846c13541418
                                                                                                                                                        • Opcode Fuzzy Hash: d90bb29e6f3d9cf45ceae8ba6290aa2979a166b92a1fe06ab3b4a8dae274e8d9
                                                                                                                                                        • Instruction Fuzzy Hash: DFA159B1D0025ADFDB20DFA9C841BEDBBB2BB54310F1481A9D848E7250DB759985CF91
                                                                                                                                                        Function 078D4820 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1441 78d4820-78d48b5 1444 78d48ee-78d490e 1441->1444 1445 78d48b7-78d48c1 1441->1445 1450 78d4947-78d4976 1444->1450 1451 78d4910-78d491a 1444->1451 1445->1444 1446 78d48c3-78d48c5 1445->1446 1448 78d48e8-78d48eb 1446->1448 1449 78d48c7-78d48d1 1446->1449 1448->1444 1452 78d48d5-78d48e4 1449->1452 1453 78d48d3 1449->1453 1461 78d49af-78d4a69 CreateProcessA 1450->1461 1462 78d4978-78d4982 1450->1462 1451->1450 1454 78d491c-78d491e 1451->1454 1452->1452 1455 78d48e6 1452->1455 1453->1452 1456 78d4941-78d4944 1454->1456 1457 78d4920-78d492a 1454->1457 1455->1448 1456->1450 1459 78d492c 1457->1459 1460 78d492e-78d493d 1457->1460 1459->1460 1460->1460 1463 78d493f 1460->1463 1473 78d4a6b-78d4a71 1461->1473 1474 78d4a72-78d4af8 1461->1474 1462->1461 1464 78d4984-78d4986 1462->1464 1463->1456 1465 78d49a9-78d49ac 1464->1465 1466 78d4988-78d4992 1464->1466 1465->1461 1468 78d4994 1466->1468 1469 78d4996-78d49a5 1466->1469 1468->1469 1469->1469 1470 78d49a7 1469->1470 1470->1465 1473->1474 1484 78d4b08-78d4b0c 1474->1484 1485 78d4afa-78d4afe 1474->1485 1486 78d4b1c-78d4b20 1484->1486 1487 78d4b0e-78d4b12 1484->1487 1485->1484 1488 78d4b00 1485->1488 1490 78d4b30-78d4b34 1486->1490 1491 78d4b22-78d4b26 1486->1491 1487->1486 1489 78d4b14 1487->1489 1488->1484 1489->1486 1493 78d4b46-78d4b4d 1490->1493 1494 78d4b36-78d4b3c 1490->1494 1491->1490 1492 78d4b28 1491->1492 1492->1490 1495 78d4b4f-78d4b5e 1493->1495 1496 78d4b64 1493->1496 1494->1493 1495->1496 1497 78d4b65 1496->1497 1497->1497
                                                                                                                                                        APIs
                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078D4A56
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                        • Opcode ID: 7a2fb38d9b0484755adb90111e45ceb1e443583f29fe11ae009a659076723634
                                                                                                                                                        • Instruction ID: 6d5a63b42ccd42ad8e0acc811629c8f96041b3ce9774955c9dd0468259322d43
                                                                                                                                                        • Opcode Fuzzy Hash: 7a2fb38d9b0484755adb90111e45ceb1e443583f29fe11ae009a659076723634
                                                                                                                                                        • Instruction Fuzzy Hash: EA9149B1D0025ADFDB20DFA9C841BEDBBB2BB58310F148169DC48E7250DB759985CF91
                                                                                                                                                        Function 02C0ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1499 2c0ada8-2c0adb7 1500 2c0ade3-2c0ade7 1499->1500 1501 2c0adb9-2c0adc6 call 2c0a0cc 1499->1501 1502 2c0ade9-2c0adf3 1500->1502 1503 2c0adfb-2c0ae3c 1500->1503 1508 2c0adc8 1501->1508 1509 2c0addc 1501->1509 1502->1503 1510 2c0ae49-2c0ae57 1503->1510 1511 2c0ae3e-2c0ae46 1503->1511 1555 2c0adce call 2c0b040 1508->1555 1556 2c0adce call 2c0b030 1508->1556 1509->1500 1513 2c0ae59-2c0ae5e 1510->1513 1514 2c0ae7b-2c0ae7d 1510->1514 1511->1510 1512 2c0add4-2c0add6 1512->1509 1515 2c0af18-2c0afd8 1512->1515 1517 2c0ae60-2c0ae67 call 2c0a0d8 1513->1517 1518 2c0ae69 1513->1518 1516 2c0ae80-2c0ae87 1514->1516 1550 2c0afe0-2c0b00b GetModuleHandleW 1515->1550 1551 2c0afda-2c0afdd 1515->1551 1520 2c0ae94-2c0ae9b 1516->1520 1521 2c0ae89-2c0ae91 1516->1521 1519 2c0ae6b-2c0ae79 1517->1519 1518->1519 1519->1516 1524 2c0aea8-2c0aeaa call 2c0a0e8 1520->1524 1525 2c0ae9d-2c0aea5 1520->1525 1521->1520 1528 2c0aeaf-2c0aeb1 1524->1528 1525->1524 1530 2c0aeb3-2c0aebb 1528->1530 1531 2c0aebe-2c0aec3 1528->1531 1530->1531 1532 2c0aee1-2c0aeee 1531->1532 1533 2c0aec5-2c0aecc 1531->1533 1540 2c0aef0-2c0af0e 1532->1540 1541 2c0af11-2c0af17 1532->1541 1533->1532 1535 2c0aece-2c0aede call 2c0a0f8 call 2c0a108 1533->1535 1535->1532 1540->1541 1552 2c0b014-2c0b028 1550->1552 1553 2c0b00d-2c0b013 1550->1553 1551->1550 1553->1552 1555->1512 1556->1512
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02C0AFFE
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                        • Opcode ID: 605e5e2a3f9481b39a6b57debb0539442e9536fd846865f16c864b5bac2d4c92
                                                                                                                                                        • Instruction ID: d6af585d912817eda950e1331f2b5f9690a83ac0c884391b83f41ef2fc4920ef
                                                                                                                                                        • Opcode Fuzzy Hash: 605e5e2a3f9481b39a6b57debb0539442e9536fd846865f16c864b5bac2d4c92
                                                                                                                                                        • Instruction Fuzzy Hash: 61714670A00B458FD724DF2AC48075ABBF1FF88304F008A2DE59AD7A90DB75E959CB90
                                                                                                                                                        Function 02C0590C Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1557 2c0590c-2c05914 1558 2c058b1-2c058d9 1557->1558 1559 2c05916-2c059d9 CreateActCtxA 1557->1559 1562 2c058e2-2c05903 1558->1562 1563 2c058db-2c058e1 1558->1563 1564 2c059e2-2c05a3c 1559->1564 1565 2c059db-2c059e1 1559->1565 1563->1562 1573 2c05a4b-2c05a4f 1564->1573 1574 2c05a3e-2c05a41 1564->1574 1565->1564 1575 2c05a60-2c05a90 1573->1575 1576 2c05a51-2c05a5d 1573->1576 1574->1573 1580 2c05a42-2c05a4a 1575->1580 1581 2c05a92-2c05b14 1575->1581 1576->1575 1580->1573
                                                                                                                                                        APIs
                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 02C059C9
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Create
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                        • Opcode ID: 8509f7757f80cc5bddb4809cf3649002c9e4d8ebdd5f5f9ecc0d639a6270dee2
                                                                                                                                                        • Instruction ID: 2dcaa8122ea53936b01a849d1d1893575752b420cf2052fb962f18a75517412d
                                                                                                                                                        • Opcode Fuzzy Hash: 8509f7757f80cc5bddb4809cf3649002c9e4d8ebdd5f5f9ecc0d639a6270dee2
                                                                                                                                                        • Instruction Fuzzy Hash: 5851E1B1C00719CFDB24CFAAC98579EBBF5BF48314F64806AD408AB291D775694ACF50
                                                                                                                                                        Function 053A18E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1583 53a18e4-53a1956 1585 53a1958-53a195e 1583->1585 1586 53a1961-53a1968 1583->1586 1585->1586 1587 53a196a-53a1970 1586->1587 1588 53a1973-53a1a12 CreateWindowExW 1586->1588 1587->1588 1590 53a1a1b-53a1a53 1588->1590 1591 53a1a14-53a1a1a 1588->1591 1595 53a1a60 1590->1595 1596 53a1a55-53a1a58 1590->1596 1591->1590 1597 53a1a61 1595->1597 1596->1595 1597->1597
                                                                                                                                                        APIs
                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053A1A02
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1731759897.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_53a0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                        • Opcode ID: ceb5258d5007190c5c4e2545d64a36335b29de453783289846e41d12ce37041d
                                                                                                                                                        • Instruction ID: 3ac38fd8e5361ce07f33e1ccda5d06691fa8a560cae49c23c874b5cc74c2211d
                                                                                                                                                        • Opcode Fuzzy Hash: ceb5258d5007190c5c4e2545d64a36335b29de453783289846e41d12ce37041d
                                                                                                                                                        • Instruction Fuzzy Hash: DC51DFB1D10309DFDB14CF9AC984ADEBBB5FF88314F24812AE819AB214D7759985CF90
                                                                                                                                                        Function 053A18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1598 53a18f0-53a1956 1599 53a1958-53a195e 1598->1599 1600 53a1961-53a1968 1598->1600 1599->1600 1601 53a196a-53a1970 1600->1601 1602 53a1973-53a1a12 CreateWindowExW 1600->1602 1601->1602 1604 53a1a1b-53a1a53 1602->1604 1605 53a1a14-53a1a1a 1602->1605 1609 53a1a60 1604->1609 1610 53a1a55-53a1a58 1604->1610 1605->1604 1611 53a1a61 1609->1611 1610->1609 1611->1611
                                                                                                                                                        APIs
                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053A1A02
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1731759897.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_53a0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                        • Opcode ID: ae70a71bd022d23acfd497aae59ee765dede1c6788fe8249d6a04804d275be31
                                                                                                                                                        • Instruction ID: 4e1927a76d52503e96958f35b6d805920c9f3553f5a31cf3e54dc969c34cefdc
                                                                                                                                                        • Opcode Fuzzy Hash: ae70a71bd022d23acfd497aae59ee765dede1c6788fe8249d6a04804d275be31
                                                                                                                                                        • Instruction Fuzzy Hash: 4841B1B1D10349DFDB14CF9AC984ADEBBB5FF88310F24812AE819AB214D7759985CF90
                                                                                                                                                        Function 02C044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1612 2c044b4-2c059d9 CreateActCtxA 1615 2c059e2-2c05a3c 1612->1615 1616 2c059db-2c059e1 1612->1616 1623 2c05a4b-2c05a4f 1615->1623 1624 2c05a3e-2c05a41 1615->1624 1616->1615 1625 2c05a60-2c05a90 1623->1625 1626 2c05a51-2c05a5d 1623->1626 1624->1623 1630 2c05a42-2c05a4a 1625->1630 1631 2c05a92-2c05b14 1625->1631 1626->1625 1630->1623
                                                                                                                                                        APIs
                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 02C059C9
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Create
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                        • Opcode ID: 0cff93cac47b1b26c0fc100e78a875f9e4ca281743779e1fed2b428f1e4f23d5
                                                                                                                                                        • Instruction ID: 14163cae688bc43c7cb622c388ce190b5f0dec45b287e23a2c4f39ddc41110cb
                                                                                                                                                        • Opcode Fuzzy Hash: 0cff93cac47b1b26c0fc100e78a875f9e4ca281743779e1fed2b428f1e4f23d5
                                                                                                                                                        • Instruction Fuzzy Hash: 6441C4B0D00619CBDB24DFAAC985B9EBBB5FF44304F60806AD408AB251DB75694ACF90
                                                                                                                                                        Function 053A4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1633 53a4040-53a407c 1634 53a412c-53a414c 1633->1634 1635 53a4082-53a4087 1633->1635 1641 53a414f-53a415c 1634->1641 1636 53a40da-53a4112 CallWindowProcW 1635->1636 1637 53a4089-53a40c0 1635->1637 1638 53a411b-53a412a 1636->1638 1639 53a4114-53a411a 1636->1639 1644 53a40c9-53a40d8 1637->1644 1645 53a40c2-53a40c8 1637->1645 1638->1641 1639->1638 1644->1641 1645->1644
                                                                                                                                                        APIs
                                                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 053A4101
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1731759897.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_53a0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CallProcWindow
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2714655100-0
                                                                                                                                                        • Opcode ID: a0b653c02647136bc4d6857c4da24f2ff1e6446855d23a95b057d0142b4b4d4a
                                                                                                                                                        • Instruction ID: 68d458a50995a208d702b4f3409a02922a3625d5c67000ab6cab4de72ee98ecf
                                                                                                                                                        • Opcode Fuzzy Hash: a0b653c02647136bc4d6857c4da24f2ff1e6446855d23a95b057d0142b4b4d4a
                                                                                                                                                        • Instruction Fuzzy Hash: 6F41FAB5900305CFCB14CF99C889A9AFBF5FB88314F24C459D519AB321D7B5A845CFA0
                                                                                                                                                        Function 078D4591 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 1647 78d4591-78d45e6 1650 78d45e8-78d45f4 1647->1650 1651 78d45f6-78d4635 WriteProcessMemory 1647->1651 1650->1651 1653 78d463e-78d466e 1651->1653 1654 78d4637-78d463d 1651->1654 1654->1653
                                                                                                                                                        APIs
                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078D4628
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                        • Opcode ID: c5d4ebb40673777f71491d7f297dbcf51140338216384693d3f4bd2ee48b405a
                                                                                                                                                        • Instruction ID: 79b5d17ff453876d71ef788a339c05cab7e622318dedf04898c0711eee18ea30
                                                                                                                                                        • Opcode Fuzzy Hash: c5d4ebb40673777f71491d7f297dbcf51140338216384693d3f4bd2ee48b405a
                                                                                                                                                        • Instruction Fuzzy Hash: AA2168B19003499FCB10CFAAC885BDEBBF5FF48320F14842AE918A7241D7789945CBA0
                                                                                                                                                        Function 078D4598 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078D4628
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                        • Opcode ID: f4a6888581c090c22b64129f68b1bb1178d59c516f2ac7f7767911c122ddf4dd
                                                                                                                                                        • Instruction ID: d33903619bcc60df0717caa470d1a65d53268303c22d6f6c22324ad64b64f4d5
                                                                                                                                                        • Opcode Fuzzy Hash: f4a6888581c090c22b64129f68b1bb1178d59c516f2ac7f7767911c122ddf4dd
                                                                                                                                                        • Instruction Fuzzy Hash: 632166B19003499FDF10CFAAC885BDEBBF5FF48320F14842AE919A7240D7789944CBA0
                                                                                                                                                        Function 078D3B88 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078D3C0E
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                        • Opcode ID: daed21640a83aa98dd2878405f44e71004b91392b3cafda69a4bc9bb319870c0
                                                                                                                                                        • Instruction ID: 8eb894b9c127e80952dd4165571696da00bd798c8e8e5bb331e0a3547c00dc66
                                                                                                                                                        • Opcode Fuzzy Hash: daed21640a83aa98dd2878405f44e71004b91392b3cafda69a4bc9bb319870c0
                                                                                                                                                        • Instruction Fuzzy Hash: FC2145B19002098FDB10DFAAC4857AEFBF5EF48324F14842AD959A7240CB789945CBA1
                                                                                                                                                        Function 02C0D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C0D656,?,?,?,?,?), ref: 02C0D717
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                        • Opcode ID: a2e7773289afc0d9bb8b36f948900b367cd303427dbd767e5c142e9dd478593f
                                                                                                                                                        • Instruction ID: 9f0ccd77ca44a31e99a9d7c62620722e3a8ec4e7ed877e6b8a859092c1290340
                                                                                                                                                        • Opcode Fuzzy Hash: a2e7773289afc0d9bb8b36f948900b367cd303427dbd767e5c142e9dd478593f
                                                                                                                                                        • Instruction Fuzzy Hash: AB21E6B5D00248DFDB10CF9AD584ADEFBF8EB48324F14841AE919A7350D374A954CFA4
                                                                                                                                                        Function 078D4686 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078D4708
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                        • Opcode ID: cfadee96317cd33d65e0f766c18ecc79bac531c9763dca70e745bfec4a1bf3e9
                                                                                                                                                        • Instruction ID: 8863a56c72596455001628c5e51a7d49c582c364a637c50319eafb264b6151e8
                                                                                                                                                        • Opcode Fuzzy Hash: cfadee96317cd33d65e0f766c18ecc79bac531c9763dca70e745bfec4a1bf3e9
                                                                                                                                                        • Instruction Fuzzy Hash: ED213CB1C003599FCB10DFAAC881ADEFBF5FF48310F10842AE519A7240C7749945DBA1
                                                                                                                                                        Function 078D4688 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078D4708
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                        • Opcode ID: 89d4f2100a0704f5acef30bf33e1fc94eb71dd5cdb128aa755bf9215257a793d
                                                                                                                                                        • Instruction ID: e0060575d9d1cfb8efd462b75801af1867287a592a3760d6a78a310bb0453834
                                                                                                                                                        • Opcode Fuzzy Hash: 89d4f2100a0704f5acef30bf33e1fc94eb71dd5cdb128aa755bf9215257a793d
                                                                                                                                                        • Instruction Fuzzy Hash: 782139B1C003599FCB10DFAAC881ADEFBF5FF48320F10842AE919A7240C7789945DBA1
                                                                                                                                                        Function 078D3B90 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078D3C0E
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                        • Opcode ID: ef5af03b8451d245abc83600aeda3d4faeff190b49959aa79174c0e95f1e1356
                                                                                                                                                        • Instruction ID: c4ef33edf37790e8f95e8a807564e01941b689a3fb58fdeae90e5a98b394313e
                                                                                                                                                        • Opcode Fuzzy Hash: ef5af03b8451d245abc83600aeda3d4faeff190b49959aa79174c0e95f1e1356
                                                                                                                                                        • Instruction Fuzzy Hash: E72118B19003099FDB10DFAAC4857EEFBF4EF58324F14842AD519A7640C7789945CFA5
                                                                                                                                                        Function 02C0D689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C0D656,?,?,?,?,?), ref: 02C0D717
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                        • Opcode ID: c5eaf0f0a65307f485be8277275a2cde9bccef520ee96b057fa9a14f100ab5ee
                                                                                                                                                        • Instruction ID: de67bc307696fd2b02e4ffe2e43783a899de2e69b185207546be1e5a47b24ca5
                                                                                                                                                        • Opcode Fuzzy Hash: c5eaf0f0a65307f485be8277275a2cde9bccef520ee96b057fa9a14f100ab5ee
                                                                                                                                                        • Instruction Fuzzy Hash: 9A21F3B5D00209DFDB10CFAAD585ADEBBF5FB48324F24841AE918A3350C378A954CF60
                                                                                                                                                        Function 075607F8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07563402,?,?,?,?,?), ref: 075634A7
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1734787568.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1734734493.0000000007550000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7550000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateFromIconResource
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3668623891-0
                                                                                                                                                        • Opcode ID: fac4b2dc815e638a67975a2ba77be8a7d83833a0e8fefa9daf0b65f7f1289c29
                                                                                                                                                        • Instruction ID: 0a3fdc9fe909092dfbe0d6c03e9c550b2c35dc801b864470983885cd4fb0751d
                                                                                                                                                        • Opcode Fuzzy Hash: fac4b2dc815e638a67975a2ba77be8a7d83833a0e8fefa9daf0b65f7f1289c29
                                                                                                                                                        • Instruction Fuzzy Hash: 751129B59002499FDB10DF9AD848BDEBFF8EB48320F14841AE514A7210C375A954DFA4
                                                                                                                                                        Function 078D44D0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078D4546
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                        • Opcode ID: 5697744b1f55a8168b60f9cc2dee4f157c039a344e77c764a1d2ac34f85ac70b
                                                                                                                                                        • Instruction ID: 837287f708aa0d69150154dfc30f1c1eecbb336bfa132dbcfcff4b8d3c7a47a6
                                                                                                                                                        • Opcode Fuzzy Hash: 5697744b1f55a8168b60f9cc2dee4f157c039a344e77c764a1d2ac34f85ac70b
                                                                                                                                                        • Instruction Fuzzy Hash: C7116AB18002499FCB20DFAAC845BDEBFF5EF48324F24881AE959A7250C7759944CF90
                                                                                                                                                        Function 078D3AD8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                        • Opcode ID: efdca45e5f8a428269e890c14cea070c8020fbfec3209045fbe9634989d97025
                                                                                                                                                        • Instruction ID: cca11dad743d5fa970cf2c17f0c4b10752b18a7b0a5f28af8463678bd475198e
                                                                                                                                                        • Opcode Fuzzy Hash: efdca45e5f8a428269e890c14cea070c8020fbfec3209045fbe9634989d97025
                                                                                                                                                        • Instruction Fuzzy Hash: F41149B19007498BCB20DFAAC4457DEFBF8EF88324F24881AD519A7640DB756944CBA5
                                                                                                                                                        Function 078D44D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078D4546
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                        • Opcode ID: 81adcbf82800108ab059ba5b21a342d8fcd3a086e0daa7b93550b945073337d9
                                                                                                                                                        • Instruction ID: e606eacedb39f6c30e76634338c69a6071c527bc3251ad368499d879770db5d3
                                                                                                                                                        • Opcode Fuzzy Hash: 81adcbf82800108ab059ba5b21a342d8fcd3a086e0daa7b93550b945073337d9
                                                                                                                                                        • Instruction Fuzzy Hash: 44113AB19002499FCB20DFAAC845ADEBFF5EF48324F148419E919A7250C7759944DFA1
                                                                                                                                                        Function 078D3AE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                        • Opcode ID: 1a259fbb61d2c9c69ab8f8bf5dd353a964098a215d32942ae9bb428007d9bc7b
                                                                                                                                                        • Instruction ID: a3cd46ff27f56807adf1f712673d0333add427d2a856834e65db7234c7aa55b9
                                                                                                                                                        • Opcode Fuzzy Hash: 1a259fbb61d2c9c69ab8f8bf5dd353a964098a215d32942ae9bb428007d9bc7b
                                                                                                                                                        • Instruction Fuzzy Hash: 49116AB1D003498FCB20DFAAC4457DEFBF8EF88324F248419D519A7240C7756944CBA5
                                                                                                                                                        Function 02C0AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02C0AFFE
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                        • Opcode ID: 271d42343025912ed9ceba16e870ccad1eae9b7e40b80003ee4ea7374415bae0
                                                                                                                                                        • Instruction ID: 8963ec9b4bc24eeb45490d7b4daf33f6684251645fb94fa0bb3686d8eb5712de
                                                                                                                                                        • Opcode Fuzzy Hash: 271d42343025912ed9ceba16e870ccad1eae9b7e40b80003ee4ea7374415bae0
                                                                                                                                                        • Instruction Fuzzy Hash: 6D11D2B5C002498FCB20DF9AC544B9EFBF4AB88328F14845AD529A7650D375A545CFA1
                                                                                                                                                        Function 078D8EC8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 078D8F2D
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                        • Opcode ID: c52e8b7b8cbd4e712ea580bcf8863c36c43986109e03c0ca31cfae1163a3143d
                                                                                                                                                        • Instruction ID: 37d5e1096b7c5df5853e5fe50ac04cbeb02f1b7f55376836beca43830c068d65
                                                                                                                                                        • Opcode Fuzzy Hash: c52e8b7b8cbd4e712ea580bcf8863c36c43986109e03c0ca31cfae1163a3143d
                                                                                                                                                        • Instruction Fuzzy Hash: 1111F8B58003499FCB20DF9AD845BDEBBF8EB58320F10851AD518A7650C3756984CFA1
                                                                                                                                                        Function 078D8F01 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 078D8F2D
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                        • Opcode ID: 685fbc20d0edd9da1070ab91795c458b4ce73749369e3a1226e5b704b979ee87
                                                                                                                                                        • Instruction ID: dfc1df2e5169ee504800047da00f034029d786d28b6c0e8c8bc520873aaa3f80
                                                                                                                                                        • Opcode Fuzzy Hash: 685fbc20d0edd9da1070ab91795c458b4ce73749369e3a1226e5b704b979ee87
                                                                                                                                                        • Instruction Fuzzy Hash: EDF0E7B5800309DFDB10CF89D844BDEBBF5EB58324F14845AE558A7210C379A544CFA1
                                                                                                                                                        Function 013FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728206736.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_13fd000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7c3773d5eb13b89334fc06b3b2d0d3b9ea8dd6b6e00f4fe367ff45fbdd6cf953
                                                                                                                                                        • Instruction ID: 3a9d129a793a0b6eac4ba7586692fa310263e97b67aa5fc6936a6332321dc74b
                                                                                                                                                        • Opcode Fuzzy Hash: 7c3773d5eb13b89334fc06b3b2d0d3b9ea8dd6b6e00f4fe367ff45fbdd6cf953
                                                                                                                                                        • Instruction Fuzzy Hash: 27216AB1104204DFDB05DF48D9C8B66BF69FB84328F20C56DEA0A1B256C736E446CBA1
                                                                                                                                                        Function 013FD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728206736.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_13fd000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1663c094411967d316a68a8cede4b1dee0f552e8b6be5913d8e5013fe5200c60
                                                                                                                                                        • Instruction ID: a5741ff03aed788f617f723001fdc7e9a56c9b244e0db4da89baedc1094f5b10
                                                                                                                                                        • Opcode Fuzzy Hash: 1663c094411967d316a68a8cede4b1dee0f552e8b6be5913d8e5013fe5200c60
                                                                                                                                                        • Instruction Fuzzy Hash: 382133B1504204DFCB05DF58C9C8B26BF65FB8831CF20C56DEA090B256C336D406CAA2
                                                                                                                                                        Function 0140D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728316294.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_140d000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a7c31a9ac447b32453abfab37624a34fbe2f39bb37f359b8de31c7b8a0e79c4e
                                                                                                                                                        • Instruction ID: 31a05cf38675649d881732abeaf5021e3c6c85e72ea0f884c6f07b9ebcd72577
                                                                                                                                                        • Opcode Fuzzy Hash: a7c31a9ac447b32453abfab37624a34fbe2f39bb37f359b8de31c7b8a0e79c4e
                                                                                                                                                        • Instruction Fuzzy Hash: AD210A71904200EFDB06DFD9D5C0B26BB65FB84324F24C57EE9094B3A6C736D44ACA61
                                                                                                                                                        Function 0140D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728316294.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_140d000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 70e21c8cc8ac6c8b96ccebf3b20e0a9c5e7b53ad122ebe99f4e77169832900a1
                                                                                                                                                        • Instruction ID: b2f9c40755dc148ed8663072b5480bc6f12df6c48dccdef5eb58439a7b360ca1
                                                                                                                                                        • Opcode Fuzzy Hash: 70e21c8cc8ac6c8b96ccebf3b20e0a9c5e7b53ad122ebe99f4e77169832900a1
                                                                                                                                                        • Instruction Fuzzy Hash: 502106B1904200DFDB16DF99D9C0B16BB65EB84358F20C57ED90E4B3A6C336D40BCA61
                                                                                                                                                        Function 0140D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728316294.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_140d000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 73b1f57751bb0f6debbf8442d309dd8d44d8a15161076caea4555693b9ce158a
                                                                                                                                                        • Instruction ID: c14636825d89a7f599e70a072bece924780ddcc0980edf5a13a0187ecbe3c1be
                                                                                                                                                        • Opcode Fuzzy Hash: 73b1f57751bb0f6debbf8442d309dd8d44d8a15161076caea4555693b9ce158a
                                                                                                                                                        • Instruction Fuzzy Hash: 9E2183755093808FD713CF64D590715BF71EB46214F28C5EBD8498B6A7C33A984ACB62
                                                                                                                                                        Function 013FD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728206736.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_13fd000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction ID: f243746af50de0cf5d9afc896dc8feeb351bc619441367de543a50dfe35f77a5
                                                                                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction Fuzzy Hash: E211E172404280CFCB12CF54D5C8B16BF72FB84318F24C6ADD9090B656C33AD45ACBA2
                                                                                                                                                        Function 013FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728206736.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_13fd000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction ID: 0fdfdc515f55321d25b156b39b0af1fc4739415e65426e70290b34c2754f61c7
                                                                                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction Fuzzy Hash: 0C11DF72404240CFDB12CF44D5C4B56BF72FB84328F24C2ADD9090B656C33AE45ACBA2
                                                                                                                                                        Function 0140D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728316294.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_140d000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                        • Instruction ID: af89d62d9fa6175d2c6240bb9d7697bfa95e8450ce85fc708614e7afeeddc2e3
                                                                                                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                        • Instruction Fuzzy Hash: 4F11BE75904240DFDB12CF98C5C0B16BB61FB84224F24C6AED8494B7A6C33AD44ACB51

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 07554D3B Relevance: 1.0, Instructions: 975COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1734734493.0000000007550000.00000004.08000000.00040000.00000000.sdmp, Offset: 07550000, based on PE: true
                                                                                                                                                        • Associated: 00000000.00000002.1734787568.0000000007560000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7550000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fa4fbdc0fe49b8b8f948abc8678bb5f38912e72d671139bed00891025d8ec236
                                                                                                                                                        • Instruction ID: 8a09bb37b4fcfa172b3dd1316a84ca7947c517074da7196211767b098668176f
                                                                                                                                                        • Opcode Fuzzy Hash: fa4fbdc0fe49b8b8f948abc8678bb5f38912e72d671139bed00891025d8ec236
                                                                                                                                                        • Instruction Fuzzy Hash: 32A2B27148E3C18FC7578B7088B55817FB0AE1322475E85EFD4C58E4A3E3AE585ACB62
                                                                                                                                                        Function 053A0040 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1731759897.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_53a0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 74326f100229ac0036edddcadc2ac375d1beb7747c75d0d555ce6145d374ac77
                                                                                                                                                        • Instruction ID: abfe5c0a2d06460b4e55f23c98baeebe0d7eb84d7a531c1576d8ba600f0da10f
                                                                                                                                                        • Opcode Fuzzy Hash: 74326f100229ac0036edddcadc2ac375d1beb7747c75d0d555ce6145d374ac77
                                                                                                                                                        • Instruction Fuzzy Hash: 1F12AEB16327468AE710CF25F95E28D3FB1BF8532CB905209E2612E2E5DFB8115ACF44
                                                                                                                                                        Function 078D1678 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b006ac5f5384fbc922f8803298c4178d94ca19c72481759462cbb90075cda466
                                                                                                                                                        • Instruction ID: 0ed0cd630c4a0ce66490713345765f70806c237b384e95b53a12fc1a3eb89ed3
                                                                                                                                                        • Opcode Fuzzy Hash: b006ac5f5384fbc922f8803298c4178d94ca19c72481759462cbb90075cda466
                                                                                                                                                        • Instruction Fuzzy Hash: 26E1EAB4E041198FCB14DFA9C584AAEFBB2BF89304F24D169D814AB359D731AD81CF61
                                                                                                                                                        Function 078D3C68 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 13ce2fd07eb0d7cfef21ec98af1e4ffbe3921c332d02bc432c7954a6f346d5a4
                                                                                                                                                        • Instruction ID: f20b47d305f1a91c6a29f37ac81cbffe9e75e932d6aeb0773aa0dce699b2be0e
                                                                                                                                                        • Opcode Fuzzy Hash: 13ce2fd07eb0d7cfef21ec98af1e4ffbe3921c332d02bc432c7954a6f346d5a4
                                                                                                                                                        • Instruction Fuzzy Hash: 42E11AB4E001198FCB14DFA9C5909AEFBB2BF89304F24C169D814AB755C731AD81CF61
                                                                                                                                                        Function 078D32B8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6bb16eb5f6a9cb9906f50aedd07f913bb144a9b705c4ae11d9dfd1b1546d20f3
                                                                                                                                                        • Instruction ID: f7c790e0d92053679b55cb9429d8898e54a00b2946a6be38805759b5bb488009
                                                                                                                                                        • Opcode Fuzzy Hash: 6bb16eb5f6a9cb9906f50aedd07f913bb144a9b705c4ae11d9dfd1b1546d20f3
                                                                                                                                                        • Instruction Fuzzy Hash: 59E1E9B4E04119CFCB14DFA9C9809AEFBB2BF89304F249169D814AB759D731AD81CF61
                                                                                                                                                        Function 078D1AB0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2cad04a79f45ee3aaf18526a0e82945b9597e793b6559a46c78c36111acfe705
                                                                                                                                                        • Instruction ID: bed1e19d633efa26d144e838c0e646d3b77940dfaf26f2fe99da345120b6401e
                                                                                                                                                        • Opcode Fuzzy Hash: 2cad04a79f45ee3aaf18526a0e82945b9597e793b6559a46c78c36111acfe705
                                                                                                                                                        • Instruction Fuzzy Hash: 6BE1FBB4E041198FCB14DF99C9949AEFBF2BF49304F249269D814AB355D731AD82CF60
                                                                                                                                                        Function 078D40A0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c636f9009c8a7fd62e202233895d331272368bdbbb588c348e9c6897d0d8b83d
                                                                                                                                                        • Instruction ID: 92ee7246322cf2cfd7cffaed9cc3c6360ffd3dccd26846090155b8bb9b6d83d0
                                                                                                                                                        • Opcode Fuzzy Hash: c636f9009c8a7fd62e202233895d331272368bdbbb588c348e9c6897d0d8b83d
                                                                                                                                                        • Instruction Fuzzy Hash: 4AE1ECB4E011598FCB14DF99C5809AEFBB2BF49304F24D259D818AB359D731AD86CF60
                                                                                                                                                        Function 02C0D5BC Relevance: .3, Instructions: 264COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1728713948.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_2c00000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 416eea0e6db04a184acb2a33e35fc12a83d257d5b1379566a47dfdb208da1fe0
                                                                                                                                                        • Instruction ID: de697ccbcb06d43bae6a9bdb772959ca087507e25954eaffca063aea244ca689
                                                                                                                                                        • Opcode Fuzzy Hash: 416eea0e6db04a184acb2a33e35fc12a83d257d5b1379566a47dfdb208da1fe0
                                                                                                                                                        • Instruction Fuzzy Hash: ADA15C32E102158FCF15DFA5C88459EBBB2FF85304B15856EE805AB2A1DF31EA56CF80
                                                                                                                                                        Function 053A0006 Relevance: .2, Instructions: 236COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1731759897.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_53a0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b8602e866dee8709cef69ef7dbafe635e409b111ddcf6026a38483adaff04588
                                                                                                                                                        • Instruction ID: c78be602045f84fe7a162927d93295af0df3f7e9e895dbb55b04452453a47726
                                                                                                                                                        • Opcode Fuzzy Hash: b8602e866dee8709cef69ef7dbafe635e409b111ddcf6026a38483adaff04588
                                                                                                                                                        • Instruction Fuzzy Hash: 62C102B1A327458AD711CF29F95E28D3FB1BF86328B504209E2616F2E5DFB8144ACF44
                                                                                                                                                        Function 078D4090 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5c3436bfc1f41190f4e25973fe3af21d290838d918f171640bebae3706f7ee73
                                                                                                                                                        • Instruction ID: e9f901ac763653eeb95737fe24a137a4bec9ad9a631cd96c6c30bc81e82dfdc7
                                                                                                                                                        • Opcode Fuzzy Hash: 5c3436bfc1f41190f4e25973fe3af21d290838d918f171640bebae3706f7ee73
                                                                                                                                                        • Instruction Fuzzy Hash: F051FAB1E012598FCB14DFA9D9805AEFBB2BF89304F24C169D818AB315D7319D42CF61
                                                                                                                                                        Function 078D1AA0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1735107137.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_78d0000_HUEtVS3MQe.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4a2a73b3e7ddbc0afb2576ef337f3409a5cd07ae76447cc725af9b3546d915fd
                                                                                                                                                        • Instruction ID: c1f75d30b15a69b42ac45e5f153ccbbb106b4788ee6e0bb02aea5c2f83fc6e6d
                                                                                                                                                        • Opcode Fuzzy Hash: 4a2a73b3e7ddbc0afb2576ef337f3409a5cd07ae76447cc725af9b3546d915fd
                                                                                                                                                        • Instruction Fuzzy Hash: EB51F9B5E042198BDB14CFA9C9845AEFBF2BF89314F24C169D418AB316D7319D42CFA1

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:0%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                        Signature Coverage:40%
                                                                                                                                                        Total number of Nodes:5
                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                        execution_graph 85798 14f2c00 85800 14f2c0a 85798->85800 85801 14f2c1f LdrInitializeThunk 85800->85801 85802 14f2c11 85800->85802 85803 14f2ad0 LdrInitializeThunk

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 014F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 5 14f2b60-14f2b6c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                                                                                                                                                        • Instruction ID: 3d977b02c033fdd496f536e88c9592bc7cdb4f40cbb32fbd8bec6f5d353f3015
                                                                                                                                                        • Opcode Fuzzy Hash: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                                                                                                                                                        • Instruction Fuzzy Hash: 6990026160280043410671984414A16404AA7E0211B59C421E10149D4DC56589D16225
                                                                                                                                                        Function 014F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 6 14f2bf0-14f2bfc LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                                                                                                                                                        • Instruction ID: 770c60fb024a703665910efa5cb4667a73b9a3455789c4993a03e24047f2942d
                                                                                                                                                        • Opcode Fuzzy Hash: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                                                                                                                                                        • Instruction Fuzzy Hash: 9890023160180842D18171984404A4A0045A7D1311F99C415A0025A98DCA558B9977A1
                                                                                                                                                        Function 014F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 4 14f2ad0-14f2adc LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                                                                                                                                                        • Instruction ID: b82cf40219af77037f62a11e412aa8e34192ee5ebfc75363f10ba8ada2df228a
                                                                                                                                                        • Opcode Fuzzy Hash: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                                                                                                                                                        • Instruction Fuzzy Hash: A5900225611800430106B59807049070086A7D5361359C421F1015994CD66189A15221
                                                                                                                                                        Function 014F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 9 14f2d10-14f2d1c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                                                                                                                                                        • Instruction ID: 0848207a0cf572abfc14a650ba87e834b28dca6d785cf466bf5d55eda2a72050
                                                                                                                                                        • Opcode Fuzzy Hash: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                                                                                                                                                        • Instruction Fuzzy Hash: FF90022961380042D18171985408A0A0045A7D1212F99D815A001599CCC95589A95321
                                                                                                                                                        Function 014F2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 10 14f2d30-14f2d3c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                                                                                                                                                        • Instruction ID: 24dc2f96ec203673ee641e1f35c6eb0675f59c52e33e28cb5886b6d03ea3c671
                                                                                                                                                        • Opcode Fuzzy Hash: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                                                                                                                                                        • Instruction Fuzzy Hash: 8C90022170180043D14171985418A064045F7E1311F59D411E0414998CD95589965322
                                                                                                                                                        Function 014F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 11 14f2dd0-14f2ddc LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                                                                                                                                                        • Instruction ID: 10fbecab2ba737432e042b9a33bb5cb1c2757aeabe43d21294ea069c273aa422
                                                                                                                                                        • Opcode Fuzzy Hash: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                                                                                                                                                        • Instruction Fuzzy Hash: C5900221642841925546B19844049074046B7E0251799C412A1414D94CC5669996D721
                                                                                                                                                        Function 014F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 12 14f2df0-14f2dfc LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                                                                                                                                                        • Instruction ID: 29a533a705252cf03705c4bfd28e396fc283f9f2868ec48b525b71b6c979d548
                                                                                                                                                        • Opcode Fuzzy Hash: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                                                                                                                                                        • Instruction Fuzzy Hash: 0190023160180453D11271984504B070049A7D0251F99C812A042499CDD6968A92A221
                                                                                                                                                        Function 014F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 7 14f2c70-14f2c7c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                                                                                                                                                        • Instruction ID: 2f0bf10be758f64fdd76abde4a235edf02022ae2cc8f679ef5eb13e78d76443b
                                                                                                                                                        • Opcode Fuzzy Hash: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                                                                                                                                                        • Instruction Fuzzy Hash: E890023160188842D11171988404B4A0045A7D0311F5DC811A4424A9CDC6D589D17221
                                                                                                                                                        Function 014F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 8 14f2ca0-14f2cac LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                                                                                                                                                        • Instruction ID: b2524638cc029f14d6b0a10df1ca070e8d678933a61409ecc7d7bdff68852a50
                                                                                                                                                        • Opcode Fuzzy Hash: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                                                                                                                                                        • Instruction Fuzzy Hash: 3290023160180442D10175D85408A460045A7E0311F59D411A5024999EC6A589D16231
                                                                                                                                                        Function 014F2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 15 14f2f30-14f2f3c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                                                                                                                                                        • Instruction ID: b4d451d1821c86ee627be70dd53068eb642dcab5f3021bbb552fab49826c4b4d
                                                                                                                                                        • Opcode Fuzzy Hash: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                                                                                                                                                        • Instruction Fuzzy Hash: E390026174180482D10171984414F060045E7E1311F59C415E1064998DC659CD926226
                                                                                                                                                        Function 014F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                                                                                                                                                        • Instruction ID: 7de400fc226f2ffbd76913ea0685519abfce274d9f9636fe12252db3cfc397bc
                                                                                                                                                        • Opcode Fuzzy Hash: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                                                                                                                                                        • Instruction Fuzzy Hash: 3D900221611C0082D20175A84C14F070045A7D0313F59C515A0154998CC95589A15621
                                                                                                                                                        Function 014F2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 16 14f2f90-14f2f9c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                                                                                                                                                        • Instruction ID: 5748f2f2a4b028dba12adb792e3322a9dd7c907efda320d0c370c15da695f6e2
                                                                                                                                                        • Opcode Fuzzy Hash: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                                                                                                                                                        • Instruction Fuzzy Hash: F2900231601C0442D10171984814B0B0045A7D0312F59C411A1164999DC66589916671
                                                                                                                                                        Function 014F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 17 14f2fb0-14f2fbc LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                                                                                                                                                        • Instruction ID: 9cf682f779a343683605a4eb31cb516e7728a3e0cc0b622166e57350ce669332
                                                                                                                                                        • Opcode Fuzzy Hash: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                                                                                                                                                        • Instruction Fuzzy Hash: A1900221A0180082414171A88844D064045BBE1221759C521A0998994DC59989A55765
                                                                                                                                                        Function 014F2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 13 14f2e80-14f2e8c LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: a38bba784c14c8720bcfd95417bcadfa48a58ef2d3e7bf81f085d3ab134ec5da
                                                                                                                                                        • Instruction ID: 7429217302594c32898772c2269a0ace5a995b1cb43b9eb1d247334657784146
                                                                                                                                                        • Opcode Fuzzy Hash: a38bba784c14c8720bcfd95417bcadfa48a58ef2d3e7bf81f085d3ab134ec5da
                                                                                                                                                        • Instruction Fuzzy Hash: 64900221A0180542D10271984404A16004AA7D0251F99C422A1024999ECA658AD2A231
                                                                                                                                                        Function 014F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 14 14f2ea0-14f2eac LdrInitializeThunk
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                                                                                                                                                        • Instruction ID: 62bd9d969c855874343e63f5a01766b932a767e9e37a96afd1660431aa9ca531
                                                                                                                                                        • Opcode Fuzzy Hash: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                                                                                                                                                        • Instruction Fuzzy Hash: 2090027160180442D14171984404B460045A7D0311F59C411A5064998EC6998ED56765
                                                                                                                                                        Function 014F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 0 14f2c0a-14f2c0f 1 14f2c1f-14f2c26 LdrInitializeThunk 0->1 2 14f2c11-14f2c18 0->2
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                                                                                                                                                        • Instruction ID: 4540d13d4d0c05d6f88e8037061970199dd5d3f0be26752b31dfaf05d4b2c75a
                                                                                                                                                        • Opcode Fuzzy Hash: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                                                                                                                                                        • Instruction Fuzzy Hash: E7B09B71D019C5C5DA12E7A44608F177940B7D0711F19C466D3030696F8778C1D1E275
                                                                                                                                                        Function 0041F0D7 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1774887099.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_41f000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dbfd2c7987f8d783d50624c11be076aca08fcbaea713292fbee50a803c5ff22f
                                                                                                                                                        • Instruction ID: 0107158e4ea34cef872397287c298c64bcdb00e805e5d4bb5fd3d31227b0858a
                                                                                                                                                        • Opcode Fuzzy Hash: dbfd2c7987f8d783d50624c11be076aca08fcbaea713292fbee50a803c5ff22f
                                                                                                                                                        • Instruction Fuzzy Hash: 23B0125190530D17051078AABF47012BADC8041417F4003F96E8902247B846AE7900E7
                                                                                                                                                        Function 0041F0E0 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1774887099.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_41f000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2ca44d49cce4e752d47424c95bd7a8d14c2cb5a22c403f0b0e7f8a351a29207d
                                                                                                                                                        • Instruction ID: 71cd0b4ea5b82251a8dfacf4b4f4a81eb47669f17a6830740459b1cdfa128c40
                                                                                                                                                        • Opcode Fuzzy Hash: 2ca44d49cce4e752d47424c95bd7a8d14c2cb5a22c403f0b0e7f8a351a29207d
                                                                                                                                                        • Instruction Fuzzy Hash: C7A022A0C0830C03002030FA2B03023B30CC000028F0003EAAE8C022023C02A83200EB

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 01558B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                        • API String ID: 0-2515994595
                                                                                                                                                        • Opcode ID: 7ba339c19f46c7869bb3ecefa003b5b17043a633c3100be05a885c37dd1fd5ea
                                                                                                                                                        • Instruction ID: a191b3d05d0f13111d60347dd341646510478199e4ea108f959d40c631cb1998
                                                                                                                                                        • Opcode Fuzzy Hash: 7ba339c19f46c7869bb3ecefa003b5b17043a633c3100be05a885c37dd1fd5ea
                                                                                                                                                        • Instruction Fuzzy Hash: BE51C0711143059BD365DF1AC864BAFBBE8FF94240F24491FAE55CB250E770D604C792
                                                                                                                                                        Function 01534755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01534888
                                                                                                                                                        • LdrpCheckRedirection, xrefs: 0153488F
                                                                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01534899
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                        • API String ID: 3446177414-3154609507
                                                                                                                                                        • Opcode ID: b7d3a4c5f979706ed3847d990d9b09d13fd40c96a1b71514e24e516ffccf5848
                                                                                                                                                        • Instruction ID: b886f82ef08ff62db02068cd709699af99b20af390dd1947e4c6aa5ce1cd2e88
                                                                                                                                                        • Opcode Fuzzy Hash: b7d3a4c5f979706ed3847d990d9b09d13fd40c96a1b71514e24e516ffccf5848
                                                                                                                                                        • Instruction Fuzzy Hash: BF41AF32A146519FCB22CE69D840A2ABBE4BFC9B50B06056DED589F352E730E811CB91
                                                                                                                                                        Function 014F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 014F2DF0: LdrInitializeThunk.NTDLL ref: 014F2DFA
                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BA3
                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BB6
                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D60
                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D74
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1404860816-0
                                                                                                                                                        • Opcode ID: 5a33f72d0192f2cbb0170173f260bd434c06052839f823a0fea0d6a3b683e158
                                                                                                                                                        • Instruction ID: 2f3dd6687f80b235cd611f87d1741c1b5292f1b1cc97a83231e146d193e5dbd5
                                                                                                                                                        • Opcode Fuzzy Hash: 5a33f72d0192f2cbb0170173f260bd434c06052839f823a0fea0d6a3b683e158
                                                                                                                                                        • Instruction Fuzzy Hash: 25425A72900715DFDB21CF28C880BAAB7F5BF54314F1445AEEA899B352D770AA85CF60
                                                                                                                                                        Function 0158B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 2cbb34b821a20b58435fa0b6eaa1944377ffbd4c6c14d0ef92e066512bd7054c
                                                                                                                                                        • Instruction ID: 695c4c88f241e5a45299c441045583967f8d348fc790e7f5941cdeba960fd951
                                                                                                                                                        • Opcode Fuzzy Hash: 2cbb34b821a20b58435fa0b6eaa1944377ffbd4c6c14d0ef92e066512bd7054c
                                                                                                                                                        • Instruction Fuzzy Hash: B1F11672E006158BCB18DF6DC89167EFBFABF98210719416DD856EF391E634EA01CB50
                                                                                                                                                        Function 014D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID: $@
                                                                                                                                                        • API String ID: 2994545307-1077428164
                                                                                                                                                        • Opcode ID: 8dc4567d53496c31a483810ff59047d9b99b9d338c17ad541efed833003e1354
                                                                                                                                                        • Instruction ID: 7e5dda7da51d59dfe674d3d2b1f9bba8bc14ef8e11a1efef9ec15a0e5e870d2d
                                                                                                                                                        • Opcode Fuzzy Hash: 8dc4567d53496c31a483810ff59047d9b99b9d338c17ad541efed833003e1354
                                                                                                                                                        • Instruction Fuzzy Hash: 12C290716083419FEB26CF29C490BABBBE5BF88714F05892EF98987361D735D805CB52
                                                                                                                                                        Function 014B04E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: kLsE
                                                                                                                                                        • API String ID: 3446177414-3058123920
                                                                                                                                                        • Opcode ID: 961179469a3d411eb01b27b72c04bc8dfd50cd6f2bdf311388ad546c81c0da01
                                                                                                                                                        • Instruction ID: 169e46c38418178ed2a95be6a84b49a5c85766fc457beefcd7aedab766e9a9c3
                                                                                                                                                        • Opcode Fuzzy Hash: 961179469a3d411eb01b27b72c04bc8dfd50cd6f2bdf311388ad546c81c0da01
                                                                                                                                                        • Instruction Fuzzy Hash: C451BB715007428BD724EF29C4806E7BBF4AF94305F10883FEAAA87761E730E545CBA2
                                                                                                                                                        Function 01532349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @$@
                                                                                                                                                        • API String ID: 0-149943524
                                                                                                                                                        • Opcode ID: 1f405af8056d99000b04a42a8de3da7cd01f0a1995dbed0f7fb8fa5e37a12632
                                                                                                                                                        • Instruction ID: 4c406c08f923a0f85723ac66ccfadb8ca031e77243f1cbced077ec4714eee2ed
                                                                                                                                                        • Opcode Fuzzy Hash: 1f405af8056d99000b04a42a8de3da7cd01f0a1995dbed0f7fb8fa5e37a12632
                                                                                                                                                        • Instruction Fuzzy Hash: E0927E71608742AFE721CF29C840B6BBBE8BBD4754F04491EFA94DB261D770E845CB92
                                                                                                                                                        Function 0157A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: `$`
                                                                                                                                                        • API String ID: 0-197956300
                                                                                                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                        • Instruction ID: 4ca8b8ef4516a435cd3e12735cb3c1ec722d655713033190ea4d1a9998c48885
                                                                                                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                        • Instruction Fuzzy Hash: 80C1CF312043429BEB24CF29D846B2FBBE6BFD4318F084A2DF6968B290D7B5D505CB51
                                                                                                                                                        Function 014BA3C0 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 6$8
                                                                                                                                                        • API String ID: 0-105715976
                                                                                                                                                        • Opcode ID: 6536af59ae7c172f8b0d87d01e332dfe27947a0c5a5f5038051f96e88fa36357
                                                                                                                                                        • Instruction ID: 7cfd1c74f7df09678596eec73d3c170da16ca3a5d613304c8a26a71573ad5da7
                                                                                                                                                        • Opcode Fuzzy Hash: 6536af59ae7c172f8b0d87d01e332dfe27947a0c5a5f5038051f96e88fa36357
                                                                                                                                                        • Instruction Fuzzy Hash: DAC19D74108386DFD711CF58C184BAAB7E4BF84704F24496EF9958B361E738CA4ACB66
                                                                                                                                                        Function 0155A118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: d900d798d51313afd49450b0f34085d7c25fb675fdb556a78f0a79deac64b1e6
                                                                                                                                                        • Instruction ID: 03978feedb157566341959fe0f3de22a37daebb29365329a30923fa45a2979de
                                                                                                                                                        • Opcode Fuzzy Hash: d900d798d51313afd49450b0f34085d7c25fb675fdb556a78f0a79deac64b1e6
                                                                                                                                                        • Instruction Fuzzy Hash: B222C1706146618BEBA5CF2DC06077ABBF1BF44344F088A5BDD968F286E335E452CB60
                                                                                                                                                        Function 014B6A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 455ebc30cd12e4e582c79bc9c71e9028ca797be8da82c691e0e146bf68ec7559
                                                                                                                                                        • Instruction ID: 531c4e96c0b4706a8a2999a046ece8e7bf8ecbbcd483aeb0333bbae923fe6f5b
                                                                                                                                                        • Opcode Fuzzy Hash: 455ebc30cd12e4e582c79bc9c71e9028ca797be8da82c691e0e146bf68ec7559
                                                                                                                                                        • Instruction Fuzzy Hash: C0329C70A04615CFDB25CF69C4C0AAEBBF1FF48310F1545AAEA55AB3A5D730E842CB60
                                                                                                                                                        Function 014C0770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7ca310f9c4a08addd2e541f2522d1cd22059e21812fed30c11ca31ccf7046061
                                                                                                                                                        • Instruction ID: 67f59ed5cc42801d05230a552e0e263aedb46d7399ac3cea2cfcff81cca9ec73
                                                                                                                                                        • Opcode Fuzzy Hash: 7ca310f9c4a08addd2e541f2522d1cd22059e21812fed30c11ca31ccf7046061
                                                                                                                                                        • Instruction Fuzzy Hash: 25F1C038600606DFEB26CF68C890BAAB7F5FF85700F14816EE5569B365D734E981CB90
                                                                                                                                                        Function 01560274 Relevance: 1.8, APIs: 1, Instructions: 348timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 125261fccfd74e807be6003550a9ef5d9777052ce3454cc110f7e143f5acbf7d
                                                                                                                                                        • Instruction ID: 46c0b1e2e57a122638e53954e0617058453d1fb39b7e02f113b42b591dcdea47
                                                                                                                                                        • Opcode Fuzzy Hash: 125261fccfd74e807be6003550a9ef5d9777052ce3454cc110f7e143f5acbf7d
                                                                                                                                                        • Instruction Fuzzy Hash: 54D1FF31600286DFDB22DFA9C440AADBBF9FF69700F59805AF4459F2A2C774D981CB90
                                                                                                                                                        Function 014DE5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 12c13d832fb4857945ae34c7c3b443d64da67583113d8a46f9201dbf87e2b440
                                                                                                                                                        • Instruction ID: 2c14c355655e17e9b5e73eb0158e94e8141c7e7966d668d39ad191fc683d7ca2
                                                                                                                                                        • Opcode Fuzzy Hash: 12c13d832fb4857945ae34c7c3b443d64da67583113d8a46f9201dbf87e2b440
                                                                                                                                                        • Instruction Fuzzy Hash: D9A10131E04619AFEF22DB98C854FAEBBA4BB00714F05012BEA10BF2E5D7749D45CB91
                                                                                                                                                        Function 014D0BCB Relevance: 1.7, APIs: 1, Instructions: 210timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: f1d8ad60888bdd962a42757b8531de4d1835f067a3716ffa27f5213d394c88f3
                                                                                                                                                        • Instruction ID: bd3b9e520d0fcd5989641f4d96397b6a44ac7cfac48cf12c131e65b8d50be14d
                                                                                                                                                        • Opcode Fuzzy Hash: f1d8ad60888bdd962a42757b8531de4d1835f067a3716ffa27f5213d394c88f3
                                                                                                                                                        • Instruction Fuzzy Hash: 5871F270A402069FDF2ADF69C890ABEB7F4FB84704F55402EE5169B365E330A946CB50
                                                                                                                                                        Function 014C03E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 48624451-0
                                                                                                                                                        • Opcode ID: eaae58c2785a6f84fed40bb13385a0f6440fbb986538dce1ffa332e7768871d4
                                                                                                                                                        • Instruction ID: 8c5737bf09bd2a5f522cc8555eddd9ec183ef035726dd8d6c3799ec55b3bcbdb
                                                                                                                                                        • Opcode Fuzzy Hash: eaae58c2785a6f84fed40bb13385a0f6440fbb986538dce1ffa332e7768871d4
                                                                                                                                                        • Instruction Fuzzy Hash: 72715E75A0014A9FDB01DF99C990BAEB7F8BF58704F15406AE905EB261E734ED01CBA4
                                                                                                                                                        Function 014E29F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @
                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                        • Opcode ID: 24aa5128e70df68a80a20d9ffa921cec6db0b7f9e1ff4c34d89b15794be447a5
                                                                                                                                                        • Instruction ID: 316fabe0d7de17b0275001e85ffe3bc403bff7e9a721470cafd7c08422de086f
                                                                                                                                                        • Opcode Fuzzy Hash: 24aa5128e70df68a80a20d9ffa921cec6db0b7f9e1ff4c34d89b15794be447a5
                                                                                                                                                        • Instruction Fuzzy Hash: 720290B6D002299BDB31CB54CC84B9EB7B8BF55304F4041DAE609AB291DB70AF84CF59
                                                                                                                                                        Function 014A645D Relevance: 1.6, APIs: 1, Instructions: 150timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • RtlDebugPrintTimes.NTDLL ref: 014A656C
                                                                                                                                                          • Part of subcall function 014A65B5: RtlDebugPrintTimes.NTDLL ref: 014A6664
                                                                                                                                                          • Part of subcall function 014A65B5: RtlDebugPrintTimes.NTDLL ref: 014A66AF
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 44bd140fc4a1dc25cb1946f947688682cdde4a72fa4d2e276be36fb8e89bca55
                                                                                                                                                        • Instruction ID: 7a2a334c91657c76abbfc52a6a3923b25d837af494f26e36accb7b21e1169412
                                                                                                                                                        • Opcode Fuzzy Hash: 44bd140fc4a1dc25cb1946f947688682cdde4a72fa4d2e276be36fb8e89bca55
                                                                                                                                                        • Instruction Fuzzy Hash: 375111312483009FD721DF24C841FABBBE8FB94648F86091EF5999B1B5D770E944CB92
                                                                                                                                                        Function 014EC720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: fb4e9bce6547a1fe762f56ad22d46301fcdde5b03cec35e8d8d4c0b698c8b2f0
                                                                                                                                                        • Instruction ID: 03964858199d38b8edb5b360cf3bcb645799cfb209f66cabe1623f7e43d124a5
                                                                                                                                                        • Opcode Fuzzy Hash: fb4e9bce6547a1fe762f56ad22d46301fcdde5b03cec35e8d8d4c0b698c8b2f0
                                                                                                                                                        • Instruction Fuzzy Hash: FA41F272584312ABC720EB69D884B5F7BE8BF65B50F46482FF9549B2A0E770D8048B91
                                                                                                                                                        Function 014DEBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 47838f556248d009c2b0978d954c1e7d25bf3ef14d142e4bb78444a37f13386b
                                                                                                                                                        • Instruction ID: cc6f18bfddb6cf349fc6ef51a6ab4d8d8d734b3024baef24772ef8c0215fefe9
                                                                                                                                                        • Opcode Fuzzy Hash: 47838f556248d009c2b0978d954c1e7d25bf3ef14d142e4bb78444a37f13386b
                                                                                                                                                        • Instruction Fuzzy Hash: F041E4712003029FEB21DF29C894A2BB7E5FF98614F45482FE557DB325DB71E8498B50
                                                                                                                                                        Function 014B262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: b7562e07bf0321097cf53db908387108db105b61f37108bd47d96e95229efb89
                                                                                                                                                        • Instruction ID: 514bbc3bca5d5e32dead53de0a9df267f71da994df0d03d250861b813d07e1f7
                                                                                                                                                        • Opcode Fuzzy Hash: b7562e07bf0321097cf53db908387108db105b61f37108bd47d96e95229efb89
                                                                                                                                                        • Instruction Fuzzy Hash: 5841AD71901705CFC722EF69C980A9AB7F5FF64310F1585AFC41A9B2B1DBB0A941CB61
                                                                                                                                                        Function 015307C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 882b3e2bb5f1aaeaa8fb5227540d35d010ac110944f7f9b270bc52497b193fd0
                                                                                                                                                        • Instruction ID: df7081f1b51a5160f8b8823b2d27b4d04b9cf392ff92d3aa821613777a3a13b3
                                                                                                                                                        • Opcode Fuzzy Hash: 882b3e2bb5f1aaeaa8fb5227540d35d010ac110944f7f9b270bc52497b193fd0
                                                                                                                                                        • Instruction Fuzzy Hash: 19418CB25043419FD720DF29C844B9BBBE8FF98664F404A2EF5A8DB291D7709904CB92
                                                                                                                                                        Function 014D245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: afe2dbbb77a470752d5dae123f8397a125281b6805fe2c7f45c2a4afdece8114
                                                                                                                                                        • Instruction ID: c5eb1a603a95b79a8778f5af36cc6ce84c42bac0e02d1aa574fdc31ef39f833c
                                                                                                                                                        • Opcode Fuzzy Hash: afe2dbbb77a470752d5dae123f8397a125281b6805fe2c7f45c2a4afdece8114
                                                                                                                                                        • Instruction Fuzzy Hash: AF317D72640242ABEB339F5DC881E6EBBB5FB84704F57001EE9106F259C7B05985D740
                                                                                                                                                        Function 014B4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 7bb2c298263b069734bf4f38d4311bff6a25e5781d76ac4192865d561729995b
                                                                                                                                                        • Instruction ID: 412e586c862ffb9b7399bcdf5208924652e0b9e8829c6c376b413afeda2e1ee5
                                                                                                                                                        • Opcode Fuzzy Hash: 7bb2c298263b069734bf4f38d4311bff6a25e5781d76ac4192865d561729995b
                                                                                                                                                        • Instruction Fuzzy Hash: D941B1302003019BD725DF29D884B6BBBE5AF90750F18442EE6568B3B2DB70D855CB61
                                                                                                                                                        Function 0155EBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: e7ac7329e15c1cab7289ed2298a35c850160b311f2770dbbd24b14ed0a7fd325
                                                                                                                                                        • Instruction ID: e3cc07f001089ab2bfe4b748012c557ff4ebbdae8209206332635167424bd288
                                                                                                                                                        • Opcode Fuzzy Hash: e7ac7329e15c1cab7289ed2298a35c850160b311f2770dbbd24b14ed0a7fd325
                                                                                                                                                        • Instruction Fuzzy Hash: A931A971545311CFC711DF19C55185AFBF1FF99618F4449AEE888AF211D730DA44CB92
                                                                                                                                                        Function 01584B00 Relevance: 1.6, APIs: 1, Instructions: 57timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 456947078d2a4afeb6804c203b3daabcfb7e7e72f6d6b8ff1db6351675696db9
                                                                                                                                                        • Instruction ID: ecf43c74c1d6b4bf2d08a2afe59d2d964ec5cd2408e8bbbf1f1c679878024063
                                                                                                                                                        • Opcode Fuzzy Hash: 456947078d2a4afeb6804c203b3daabcfb7e7e72f6d6b8ff1db6351675696db9
                                                                                                                                                        • Instruction Fuzzy Hash: C811E9362006129FDB21EA69D840F6BB7E5FFC4712F15442AEE92DB690DA30E802C790
                                                                                                                                                        Function 0153892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fde12851a52c08314b567e775b8251ecaba37bfb64aa39d9576f020510084848
                                                                                                                                                        • Instruction ID: d8d0775e743ac07b13e663e7ba4c7815b031c39f763dd2ebb3e791b96b953c76
                                                                                                                                                        • Opcode Fuzzy Hash: fde12851a52c08314b567e775b8251ecaba37bfb64aa39d9576f020510084848
                                                                                                                                                        • Instruction Fuzzy Hash: 0001F7332502119BE6296A5ADCC4E9E7BA5FFD1254B45062DF6411F161CB306845C7A2
                                                                                                                                                        Function 0153A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: ad2ae82d72078e986725848af7831692b4671ed0f242a5a02c34a614fc45f5a0
                                                                                                                                                        • Instruction ID: 0f64f4de55a31ae6608a12cb0c681d9a3ba87457377495654e087090fc52e80e
                                                                                                                                                        • Opcode Fuzzy Hash: ad2ae82d72078e986725848af7831692b4671ed0f242a5a02c34a614fc45f5a0
                                                                                                                                                        • Instruction Fuzzy Hash: 35019A36110219ABCF129F84DC40EDE3F66FB8C754F068105FE19AA260C332D970EB81
                                                                                                                                                        Function 01536420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 0-3916222277
                                                                                                                                                        • Opcode ID: c9774af6418308242e2b4d15a8c38aeb7cf456ec1edb2762b49aac87621a3422
                                                                                                                                                        • Instruction ID: a1bcaf6ba2fd310ed75299e13a3061643adbe994321ca4cb9da47f0c140c6d86
                                                                                                                                                        • Opcode Fuzzy Hash: c9774af6418308242e2b4d15a8c38aeb7cf456ec1edb2762b49aac87621a3422
                                                                                                                                                        • Instruction Fuzzy Hash: A5916271A00219BFEB21DF95CC95FAE7BB8FF54B50F154069F600AB1A0D775A900CB61
                                                                                                                                                        Function 014E8402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @
                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                        • Opcode ID: 1aad77aad74bf339805523154fae6bcc42d994ccb1ece7f557f49f35ef940521
                                                                                                                                                        • Instruction ID: 320556a30bf2fc4826e0cf78364f900b1c97752f1956bd00e8364eb753768c0e
                                                                                                                                                        • Opcode Fuzzy Hash: 1aad77aad74bf339805523154fae6bcc42d994ccb1ece7f557f49f35ef940521
                                                                                                                                                        • Instruction Fuzzy Hash: DF919D71518346AFDB21DF66CC44EAFBAE8FF94644F40092FFA8496261E770D904CB62
                                                                                                                                                        Function 0155E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 0-3916222277
                                                                                                                                                        • Opcode ID: 4a8774865f31443746883b3cf8b4fab1120100be0ae0a062912d58c5929951be
                                                                                                                                                        • Instruction ID: cf155ffc763c7908496c4245f0f305886fc8982f5a367dd1b9fa16969a70f387
                                                                                                                                                        • Opcode Fuzzy Hash: 4a8774865f31443746883b3cf8b4fab1120100be0ae0a062912d58c5929951be
                                                                                                                                                        • Instruction Fuzzy Hash: 7D91A132900606AFDB629F95DC55FAFFBB9FF55740F11002AF904AB261DB34AA01CB50
                                                                                                                                                        Function 014E273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .Local
                                                                                                                                                        • API String ID: 0-5346580
                                                                                                                                                        • Opcode ID: 86028cb88b76fb190f2e3ef3ded78da8002c27e6859a695048ae531911b49113
                                                                                                                                                        • Instruction ID: a106cbb7d796f92d1c3b282963ddf59882245475389e50ffc5c065a347cc2372
                                                                                                                                                        • Opcode Fuzzy Hash: 86028cb88b76fb190f2e3ef3ded78da8002c27e6859a695048ae531911b49113
                                                                                                                                                        • Instruction Fuzzy Hash: C5A1C335A00229DBDB24CF59CC88BAAB7F5BF59314F1541EAD908AB361D7709E81CF90
                                                                                                                                                        Function 014AA197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: \??\
                                                                                                                                                        • API String ID: 0-3047946824
                                                                                                                                                        • Opcode ID: cd1b4ed958f9db37d649ca709a721a4cedeb2feb8d4b70998077b215cd23247e
                                                                                                                                                        • Instruction ID: 6acf9be99f6e96ac920543672bd101a97621859f7841f7af078affafde101792
                                                                                                                                                        • Opcode Fuzzy Hash: cd1b4ed958f9db37d649ca709a721a4cedeb2feb8d4b70998077b215cd23247e
                                                                                                                                                        • Instruction Fuzzy Hash: EEA16D319112299BDB329F64CC88BEEB7B8FF55700F1101EAEA08AB250D7359E84CF50
                                                                                                                                                        Function 014E8620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 8
                                                                                                                                                        • API String ID: 0-4194326291
                                                                                                                                                        • Opcode ID: 1f1ebe1681397304dd7f453e470f49ed0a0c762622ce99515ef611eba2d05e8e
                                                                                                                                                        • Instruction ID: 4757d3110abf6e3d2ec780d20ef9b62ac82a079c31db9d7d060cecfb925c442e
                                                                                                                                                        • Opcode Fuzzy Hash: 1f1ebe1681397304dd7f453e470f49ed0a0c762622ce99515ef611eba2d05e8e
                                                                                                                                                        • Instruction Fuzzy Hash: 68819F71A40359AFDF20CF99C845BEEBBF5BB19714F20411AF504BB2A0E371A945CB90
                                                                                                                                                        Function 014E8BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: (
                                                                                                                                                        • API String ID: 0-3887548279
                                                                                                                                                        • Opcode ID: 96433b7b0774bcc5df71f736952b02ad50beadaf22b4c15a5483b9d2c6d705c3
                                                                                                                                                        • Instruction ID: a48a40ecaa5b677002acbf404374ab0d76ac56479830744fd5f1de5042b36f89
                                                                                                                                                        • Opcode Fuzzy Hash: 96433b7b0774bcc5df71f736952b02ad50beadaf22b4c15a5483b9d2c6d705c3
                                                                                                                                                        • Instruction Fuzzy Hash: 4D915971D0065ACFDF11CFA9C884ADEBBF1BF59314F10416AE816AB3A1D771A902CB50
                                                                                                                                                        Function 015543D4 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @
                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                        • Opcode ID: 57d8328be3c497aa5d0ce2bcfea32f04ff8b1bdef22c5ac8ab32baa91f016921
                                                                                                                                                        • Instruction ID: ab0f6e463ff38010de465b7f318d47c951f6d3ae2b312589d472f696d38ac3cb
                                                                                                                                                        • Opcode Fuzzy Hash: 57d8328be3c497aa5d0ce2bcfea32f04ff8b1bdef22c5ac8ab32baa91f016921
                                                                                                                                                        • Instruction Fuzzy Hash: 02511871D0021DAFDB11DFA9CC94EEEBBB8FB54754F10052AEA11BB290E6709E45CB60
                                                                                                                                                        Function 014AA580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: (
                                                                                                                                                        • API String ID: 0-3887548279
                                                                                                                                                        • Opcode ID: eb3df6ef37fb9fb2d6317902110e60a5fc2e43c878566503813db05c14b859eb
                                                                                                                                                        • Instruction ID: 1d5df538c77fa2883df54d6ddd63cfa9b73b401acce601686720a63721613883
                                                                                                                                                        • Opcode Fuzzy Hash: eb3df6ef37fb9fb2d6317902110e60a5fc2e43c878566503813db05c14b859eb
                                                                                                                                                        • Instruction Fuzzy Hash: E15119B491125ADFCB11CF99C580ACEBFF4FF18714F11822BE509AB261D7B4A941CB94
                                                                                                                                                        Function 014B2140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: (
                                                                                                                                                        • API String ID: 0-3887548279
                                                                                                                                                        • Opcode ID: 0c28aeb55d96de0c7e8593949c576334a6aeffd4c1d6a022dc2b8b1fb9acc45a
                                                                                                                                                        • Instruction ID: ddea9cecea8b1cd3f614bbf24569896fc5c79ecdee21dce14566ef5124275c09
                                                                                                                                                        • Opcode Fuzzy Hash: 0c28aeb55d96de0c7e8593949c576334a6aeffd4c1d6a022dc2b8b1fb9acc45a
                                                                                                                                                        • Instruction Fuzzy Hash: 1C512CB190161AAFCB15CF99C480ADDFBB0BF18710F54462EE518E7690D375A951CBA0
                                                                                                                                                        Function 0156C188 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @
                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                        • Opcode ID: f458d208f417760f0c055ef082b6f321501c9274ff8160b0ad1ea4232ec25dbf
                                                                                                                                                        • Instruction ID: 55c48db9d241afaf3bf525043dbdfdf8bc1ae709c3bf804b88c459a901ba9a74
                                                                                                                                                        • Opcode Fuzzy Hash: f458d208f417760f0c055ef082b6f321501c9274ff8160b0ad1ea4232ec25dbf
                                                                                                                                                        • Instruction Fuzzy Hash: 77416571E00209EBDF11DED9C851FEEBBBCBB24714F14406BEA85AB250D7749A44CB90
                                                                                                                                                        Function 01544144 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @
                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                        • Opcode ID: db864628aa8c68678832397fbe5a7f15e9679cd8d0385665989215daee1893bd
                                                                                                                                                        • Instruction ID: e5b7f99141132102b4788105b19ee8db25133a6e9111b6efaca3f076a02780a7
                                                                                                                                                        • Opcode Fuzzy Hash: db864628aa8c68678832397fbe5a7f15e9679cd8d0385665989215daee1893bd
                                                                                                                                                        • Instruction Fuzzy Hash: 3741FF72A446498BEB22DFA9C844BADBBB8FFA5748F14045AD901AF791DB348901CB10
                                                                                                                                                        Function 014EC6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: minkernel\ntdll\ldrredirect.c
                                                                                                                                                        • API String ID: 0-3694840737
                                                                                                                                                        • Opcode ID: dfc3ad8bd314b103bd41d74a380750dfee8ad298fa311c5b53ffb9bdde6944a5
                                                                                                                                                        • Instruction ID: 4113149b68e8aa43a50511e00896419f5a9e77528e738f2269fdc6ed1a58dcf0
                                                                                                                                                        • Opcode Fuzzy Hash: dfc3ad8bd314b103bd41d74a380750dfee8ad298fa311c5b53ffb9bdde6944a5
                                                                                                                                                        • Instruction Fuzzy Hash: CB3104726443529FC220EF29D846E2BBBD5FFA5B14F05051DF9446F2A1D670EC04CBA2
                                                                                                                                                        Function 01546B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: #
                                                                                                                                                        • API String ID: 0-1885708031
                                                                                                                                                        • Opcode ID: 2a9f2cc16379b4199c6e5062595a313d63de7103d4a6090de5c05ef7d543176a
                                                                                                                                                        • Instruction ID: 691e4aa7f0c1c8be13e485550ceb0e3697f8c0b7da76789182fa61bb9205c090
                                                                                                                                                        • Opcode Fuzzy Hash: 2a9f2cc16379b4199c6e5062595a313d63de7103d4a6090de5c05ef7d543176a
                                                                                                                                                        • Instruction Fuzzy Hash: C3311831A007199BEB22CF69C854BAE7BA8EF16708F14402DE940AF292DB75DC45CB94
                                                                                                                                                        Function 014C29A0 Relevance: 1.0, Instructions: 966COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 15c16cf999e09f1d2ad9009be9dc2674ce6f2b146070280338e2a4f735196f60
                                                                                                                                                        • Instruction ID: 99a4074fac1f375ff425ea2c3531647d8c142905d9a8c5ebed8d86032c7be25b
                                                                                                                                                        • Opcode Fuzzy Hash: 15c16cf999e09f1d2ad9009be9dc2674ce6f2b146070280338e2a4f735196f60
                                                                                                                                                        • Instruction Fuzzy Hash: 7692E078A042499FDB65CF68C440BAEBBF1FF48710F14806EE859AB361D7B5A942CF50
                                                                                                                                                        Function 014BC7C0 Relevance: 1.0, Instructions: 960COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5d8bb688fcc9dd3cc9e5dfee201ecbfe27de5212d3c1f87a2a7eda452aa07400
                                                                                                                                                        • Instruction ID: 3ac641dbdf9bedcdd8018d4474855d3cc4043328944170d458e6997198de93f0
                                                                                                                                                        • Opcode Fuzzy Hash: 5d8bb688fcc9dd3cc9e5dfee201ecbfe27de5212d3c1f87a2a7eda452aa07400
                                                                                                                                                        • Instruction Fuzzy Hash: E9826075E002199FDB25CFA9C8C07EEBBB1BF48314F1481AAD959AB361D7309D42CB60
                                                                                                                                                        Function 01552000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: db1cd387bcb3b2c75c5181629776d7104308902864e616c56544e85cd27e504e
                                                                                                                                                        • Instruction ID: 25e614e4ccae556881060dff8699ee0da4a5cedf5fd2736fc9f0efe7887eec43
                                                                                                                                                        • Opcode Fuzzy Hash: db1cd387bcb3b2c75c5181629776d7104308902864e616c56544e85cd27e504e
                                                                                                                                                        • Instruction Fuzzy Hash: 1B42B036608341DBD765CF69C8A0A6FBBE5BB98340F08492FFE869B250D770D845CB52
                                                                                                                                                        Function 01548158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: bd3111c406f1d1bdf2bcf84a6adc000f251ee2be0740b3a44f98d6a7fd522d9d
                                                                                                                                                        • Instruction ID: eccbde87813e939daf4274240110933f86c3b5e3b7fde3619993e168ab429301
                                                                                                                                                        • Opcode Fuzzy Hash: bd3111c406f1d1bdf2bcf84a6adc000f251ee2be0740b3a44f98d6a7fd522d9d
                                                                                                                                                        • Instruction Fuzzy Hash: D3426D75E002198FEB24CFA9C881BADBBF5BF58304F14809EE949EB252D7349985CF50
                                                                                                                                                        Function 014C2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3f46fbef4b561d1d952398651c55157a2c837190ecb5a0873c08ea0129872a96
                                                                                                                                                        • Instruction ID: f5989598ba9770d0a22ad762bfa72ff5d273af42f2f626ec6d341591fb4e674e
                                                                                                                                                        • Opcode Fuzzy Hash: 3f46fbef4b561d1d952398651c55157a2c837190ecb5a0873c08ea0129872a96
                                                                                                                                                        • Instruction Fuzzy Hash: D8322474A007568FEB26CF69C844BBEBBF2BF84700F14451ED8469F289D7B4A842CB50
                                                                                                                                                        Function 014BA9D0 Relevance: .4, Instructions: 421COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e50e83d8f6aba39855575185ddede91ad25ff80623de78a4d9fc5dfd3c3dda68
                                                                                                                                                        • Instruction ID: 385c4d27573a2b018e3b9aefdebae7f2f7990825a8efeecf310b41b5432765c7
                                                                                                                                                        • Opcode Fuzzy Hash: e50e83d8f6aba39855575185ddede91ad25ff80623de78a4d9fc5dfd3c3dda68
                                                                                                                                                        • Instruction Fuzzy Hash: BFE18771E042159FEF22CE99C990BEEBBB9FF58310F20442AE911EB265D734D941CB60
                                                                                                                                                        Function 0154892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9ac60c98df281ad08768530760961e31e407778aafde28f50a4a9e7a925ef691
                                                                                                                                                        • Instruction ID: 01bb53339ed9e58d198bb16378ca7da95d2a74dfb5012f1d4c832da39cbb4b59
                                                                                                                                                        • Opcode Fuzzy Hash: 9ac60c98df281ad08768530760961e31e407778aafde28f50a4a9e7a925ef691
                                                                                                                                                        • Instruction Fuzzy Hash: 90D1E071A0060A9FDF05CFA9C841AFEB7F1BF88318F18856AD955AB241E735E905CB60
                                                                                                                                                        Function 014A8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 76f60b3fa9faa541b9d331a2b4d144826d8f8f2a447402ea904c91c4f224a5e9
                                                                                                                                                        • Instruction ID: 2a1aec650d2dbe23714ca3e3df1fabd70d9a1b2b32a47ece701a6a820b810191
                                                                                                                                                        • Opcode Fuzzy Hash: 76f60b3fa9faa541b9d331a2b4d144826d8f8f2a447402ea904c91c4f224a5e9
                                                                                                                                                        • Instruction Fuzzy Hash: 3BD1E175A006079BDB15CF69CC80EBE7BB5FF64205F46422EE916DB2A0EB30D951CB60
                                                                                                                                                        Function 014B65D0 Relevance: .4, Instructions: 365COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c52215d53b2418e708e7426c85f5e6402a063f234cc38e05a2bb31085e4f4f74
                                                                                                                                                        • Instruction ID: e15c65ca353823d5ad9125c8b1b3c5bd43a4cbc5f4c4a231963db084a7394b27
                                                                                                                                                        • Opcode Fuzzy Hash: c52215d53b2418e708e7426c85f5e6402a063f234cc38e05a2bb31085e4f4f74
                                                                                                                                                        • Instruction Fuzzy Hash: 4BE16D75508342CFD715CF28C1D0AABBBE1BF99304F06896EE99987361D731E905CBA2
                                                                                                                                                        Function 01538243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                        • Instruction ID: 666c823b1f11cfb02e0ef5ba0a38a7f79589662670e73bb8826049fd0622775c
                                                                                                                                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                        • Instruction Fuzzy Hash: 6CB15E74A00605AFDF28DB99C940EAFBBB9BFC4304F14456DBA529B791DA34E909CB10
                                                                                                                                                        Function 014C0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                        • Instruction ID: 4a1e98d25dcb66a0ac3fe2b0eb5c003766eed422cf75a70ca94c632288bb4a67
                                                                                                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                        • Instruction Fuzzy Hash: 13B1E339600646DFEB16CBA8C850BBEBBF6BF94700F14415EE6529B395D730E942CB90
                                                                                                                                                        Function 014B83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6f6aff7a7204d9fd01659013fc8c55ba6addd687eacd54456570a03200bf701e
                                                                                                                                                        • Instruction ID: cf7cde58c03545fe84b5bd329fb61fc8f4736ad086d0ecbeb4f7be6548e8903a
                                                                                                                                                        • Opcode Fuzzy Hash: 6f6aff7a7204d9fd01659013fc8c55ba6addd687eacd54456570a03200bf701e
                                                                                                                                                        • Instruction Fuzzy Hash: 74C15A741083418FE764DF19C484BABB7E5BF98304F44496EE9898B3A1D774E904CF62
                                                                                                                                                        Function 014AC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e3dca18ac0865c4a2424bb75db459cca0e4d82be2d3820378f946c0809fec30c
                                                                                                                                                        • Instruction ID: a79acf5f8ca07696c715080a16dccba2cb7a88f1fac2cc75b4590594d3f29c4c
                                                                                                                                                        • Opcode Fuzzy Hash: e3dca18ac0865c4a2424bb75db459cca0e4d82be2d3820378f946c0809fec30c
                                                                                                                                                        • Instruction Fuzzy Hash: A0B17270A002668BDB65CF59C890BADB3B5EF54700F4585EAE54AEB391DB309D86CB20
                                                                                                                                                        Function 014F0185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 231b91d7c4de3fa3f926fcbc69ebcc2f1e01896e185c969d84d164837620089d
                                                                                                                                                        • Instruction ID: b2c5640f664833471866fe769cf3ac2e40f19b2b54c663e6a193fac6d595e806
                                                                                                                                                        • Opcode Fuzzy Hash: 231b91d7c4de3fa3f926fcbc69ebcc2f1e01896e185c969d84d164837620089d
                                                                                                                                                        • Instruction Fuzzy Hash: 6BA1C471B006269FDB25DF69C490BAAB7E2FF94314F14402EEB059B3A2DB74E812C750
                                                                                                                                                        Function 01584500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 420e67a067b7f18c3f80bf878dd1695c008ba30865781120c3629526d320428d
                                                                                                                                                        • Instruction ID: c29ea4637456fff3e9421aa70d171b4dc3716533247e08d41dd68d3301680af7
                                                                                                                                                        • Opcode Fuzzy Hash: 420e67a067b7f18c3f80bf878dd1695c008ba30865781120c3629526d320428d
                                                                                                                                                        • Instruction Fuzzy Hash: 42A1DD72A10252DFC711EF19C980B6ABBE9FF58704F45092DEA86EB660D374E901CB91
                                                                                                                                                        Function 01582B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                        • Instruction ID: dfabd05c7b3035e3fb972e84fe72c0ff4393aeb1729d3fe00bab11aa1b0a3d59
                                                                                                                                                        • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                        • Instruction Fuzzy Hash: DFB12875E0161ADFDF19DFA9C880AADBBF5BF48310F14812AE915BB350D730A941CB94
                                                                                                                                                        Function 015360E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 57b8753d29ca7364c4e0d17896b8e9a886eceb69fe20fca3deb6d1a21419adea
                                                                                                                                                        • Instruction ID: 847c0171c857aa09473a773a5b7b22119685a9d9190d6140c0eae5f302bad964
                                                                                                                                                        • Opcode Fuzzy Hash: 57b8753d29ca7364c4e0d17896b8e9a886eceb69fe20fca3deb6d1a21419adea
                                                                                                                                                        • Instruction Fuzzy Hash: 77916F71E00216BFDF15CFA9D894BAEBBB5BB88710F15416DE610EF251D734EA009BA0
                                                                                                                                                        Function 014E63FF Relevance: .3, Instructions: 261COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 06e45c985ab9d1ad1506924c965b5d2599983c0b2a174b432f68ec567451384c
                                                                                                                                                        • Instruction ID: af3658c560d412eaaf17bc8cba4bf8a082f15f9a5484a6b4ec4a389a92ed30fe
                                                                                                                                                        • Opcode Fuzzy Hash: 06e45c985ab9d1ad1506924c965b5d2599983c0b2a174b432f68ec567451384c
                                                                                                                                                        • Instruction Fuzzy Hash: 0D912731B403269BEB25DF59D848BAE7BE1BF62B14F56012ED5106F2E1D7B09801C794
                                                                                                                                                        Function 014CE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3ac8638137efed42426dec7b984aa40c1281c1966fda0fd951378cca1eb41855
                                                                                                                                                        • Instruction ID: 7ee69478b40ec3438a531876bdbbf831c02593e731fde4ef953a57b8fea6be16
                                                                                                                                                        • Opcode Fuzzy Hash: 3ac8638137efed42426dec7b984aa40c1281c1966fda0fd951378cca1eb41855
                                                                                                                                                        • Instruction Fuzzy Hash: 5D913439A00616CBEB65DB59C440B7EBBA2FFA4B14F05406EED05AF3A4E734D902C791
                                                                                                                                                        Function 015389B3 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fbae44722612372bf897c9ca092ec5e3f120b18e5ff930c6e73e16ea35a8218a
                                                                                                                                                        • Instruction ID: 35535e58dc6de5e31ae04d52a4e74a1a1348ef1fc4db4dd3b6691514be4ec978
                                                                                                                                                        • Opcode Fuzzy Hash: fbae44722612372bf897c9ca092ec5e3f120b18e5ff930c6e73e16ea35a8218a
                                                                                                                                                        • Instruction Fuzzy Hash: 589134B1681306AFD726DF69C890F5A7BE4BFE0B14F860A1DFA506F250D7709C058791
                                                                                                                                                        Function 0157AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                        • Instruction ID: 906b8ed670be6033c9dfce60f992a3ab72561d76ff8db7884ce8fbffde4675c2
                                                                                                                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                        • Instruction Fuzzy Hash: D1817072A0020A9FDF19CF99D891AAEBBF6FF84310F188569E9169F345D734E901CB50
                                                                                                                                                        Function 014EE284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4c86d962c2104173f55090f5a73b3e1b68b3c2c244846f121f965d2e8fd4c890
                                                                                                                                                        • Instruction ID: a854c92d673c8b75033c7533d3c644e93d64f421ff4707bc158287476bc3f891
                                                                                                                                                        • Opcode Fuzzy Hash: 4c86d962c2104173f55090f5a73b3e1b68b3c2c244846f121f965d2e8fd4c890
                                                                                                                                                        • Instruction Fuzzy Hash: 01815E71A00619AFDB25CFA9C884AEEBBF9FF88354F10442EE555A7360D770AC45CB60
                                                                                                                                                        Function 014B64AB Relevance: .2, Instructions: 211COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1ca19d378c7792b4b3872cf5e10e074c7bd1d210c20bee784cd4556305b1c319
                                                                                                                                                        • Instruction ID: f7479d910efa230ed0855deb3fffcb634093363fce32784667e7f40787f45285
                                                                                                                                                        • Opcode Fuzzy Hash: 1ca19d378c7792b4b3872cf5e10e074c7bd1d210c20bee784cd4556305b1c319
                                                                                                                                                        • Instruction Fuzzy Hash: D871E0B19043059FCB21DF15C8C5F9B7BA8AFA4754F41046EF9488B2A6D334D199CBE2
                                                                                                                                                        Function 014CC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6ba47dcdd17749da4cc949e8a5f468faccfa631b8f4649586eb26613fb822e2c
                                                                                                                                                        • Instruction ID: 758845975f28787e8627caa2e67b34ae5b97bf13405fcf166e9f15c289a2b3c8
                                                                                                                                                        • Opcode Fuzzy Hash: 6ba47dcdd17749da4cc949e8a5f468faccfa631b8f4649586eb26613fb822e2c
                                                                                                                                                        • Instruction Fuzzy Hash: D971DD79D0122ADFDB268F59C9907BEBBB0FF58B10F54415EE856AB364D3309805CBA0
                                                                                                                                                        Function 015647A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 11bbeea89bec17a4bfa40ad3b47fb9e4125d991490f1f13a9fdc913f47329189
                                                                                                                                                        • Instruction ID: 69d93bfa066b59163098a2b3a5fb00aeb2c46a0b05196038d738d75545f820cf
                                                                                                                                                        • Opcode Fuzzy Hash: 11bbeea89bec17a4bfa40ad3b47fb9e4125d991490f1f13a9fdc913f47329189
                                                                                                                                                        • Instruction Fuzzy Hash: 39719E70A40245EFDB24CFA9D950A9EBFFDFF90340F49815AE620AF298C7718944DB94
                                                                                                                                                        Function 014C260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9626fa83bee85a2c97ae065f76667800d484df1df9669cc58037717aa6ed7e38
                                                                                                                                                        • Instruction ID: 720551fa63d00c3efbbcac342ad4375e0f88a8d250dc4d65bff8ed3996f5f08c
                                                                                                                                                        • Opcode Fuzzy Hash: 9626fa83bee85a2c97ae065f76667800d484df1df9669cc58037717aa6ed7e38
                                                                                                                                                        • Instruction Fuzzy Hash: F371D2397046429FD352DF2CC480B6AB7E5FF94710F0485AEE8998B361DBB4D846CBA1
                                                                                                                                                        Function 014EA660 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5516a4e73abdc986cc80b46e7c6660fc73e84bee5a55eb8dd00992f53f6d9f90
                                                                                                                                                        • Instruction ID: 3188b069a80dd46d0f616b4d2e07e3a762e448638b8946dc15922e3d4f6e23f9
                                                                                                                                                        • Opcode Fuzzy Hash: 5516a4e73abdc986cc80b46e7c6660fc73e84bee5a55eb8dd00992f53f6d9f90
                                                                                                                                                        • Instruction Fuzzy Hash: EA717076E0022ACFDF28CF9DD5906ADBBF1BF59710F14812EE905AB291E7709841CB50
                                                                                                                                                        Function 0153035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                        • Instruction ID: f7391a0c09604ee458bf00213f3670f467528f80f9f921c875f731c0c51b9a4e
                                                                                                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                        • Instruction Fuzzy Hash: 55716071A0061AEFDB11DFA9C984EDEBBB9FF98700F104569E505EB290DB34EA01CB50
                                                                                                                                                        Function 015462A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3849df167d37a9bb142b28c37e16d3ae5d97eed6b03abf0792181e9fc8abbdf5
                                                                                                                                                        • Instruction ID: b6421eb19b4996a3dacf1896bbe979ee2df09420b32add888735f38dc4fb08af
                                                                                                                                                        • Opcode Fuzzy Hash: 3849df167d37a9bb142b28c37e16d3ae5d97eed6b03abf0792181e9fc8abbdf5
                                                                                                                                                        • Instruction Fuzzy Hash: 5C71E132200B02AFEB32CF19C884F5ABBE6FB55728F15482DE6158F2A0D774E944CB50
                                                                                                                                                        Function 01588324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dc0c222d1c47b03368f43210891114f397dde37882955c455a700c187dc34c52
                                                                                                                                                        • Instruction ID: 12826c632474f2e90521f80804bba61852849277c1b1c24a027a55c709806195
                                                                                                                                                        • Opcode Fuzzy Hash: dc0c222d1c47b03368f43210891114f397dde37882955c455a700c187dc34c52
                                                                                                                                                        • Instruction Fuzzy Hash: F2711B71E0020ABFDB15DF95CC41FEEBBB9FB14350F50412AE610BA290D774AA05CBA0
                                                                                                                                                        Function 014C0A5B Relevance: .2, Instructions: 190COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 85cf7f159f738681e15ebba6bc724e2a9795509692774b460a566cac69704593
                                                                                                                                                        • Instruction ID: eaf758eecd583632b640c1d5d4814e3de91f3af478119f3762a43abd355db8d2
                                                                                                                                                        • Opcode Fuzzy Hash: 85cf7f159f738681e15ebba6bc724e2a9795509692774b460a566cac69704593
                                                                                                                                                        • Instruction Fuzzy Hash: 3D61C178610302DFEB69CF28C480B6ABBE1FF55B04F14855EE4558F2A6E770E881CB91
                                                                                                                                                        Function 014C61D1 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5847c38a8eada3ef1d76b6185a01a028dfced4b36691892224b709589c4f5e6d
                                                                                                                                                        • Instruction ID: 3553099af298cdc9f8845a2a318da81f6aa4eed53c361d45f065ceffc1b46161
                                                                                                                                                        • Opcode Fuzzy Hash: 5847c38a8eada3ef1d76b6185a01a028dfced4b36691892224b709589c4f5e6d
                                                                                                                                                        • Instruction Fuzzy Hash: F471E638A016268FDB65CF58C4507AEF7B2BF84B04F15852ED856AB361CB74AC43CB80
                                                                                                                                                        Function 0156A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4679dcc30f1dce3961f5ec3bca2cbdefaecaeb516a8f9bb21fce4cfd29c2d048
                                                                                                                                                        • Instruction ID: 187bc803dc0e49ed9af30bcd682227ac9fd0d43dfe4a6c8941f6838b4e2148a0
                                                                                                                                                        • Opcode Fuzzy Hash: 4679dcc30f1dce3961f5ec3bca2cbdefaecaeb516a8f9bb21fce4cfd29c2d048
                                                                                                                                                        • Instruction Fuzzy Hash: F6516C72504612AFD721DA68C844B5BBBECFBD5750F05492EBA40EF250E670ED05CBE2
                                                                                                                                                        Function 0152E6F2 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: b31bddaece785337c585803df3bfe7cb457d0d5ed87f3ca85533f40abd302e5b
                                                                                                                                                        • Instruction ID: f940249c69548591e07ba92c5a0826a8c5f06ced41fc0dd75ad968b5f025d416
                                                                                                                                                        • Opcode Fuzzy Hash: b31bddaece785337c585803df3bfe7cb457d0d5ed87f3ca85533f40abd302e5b
                                                                                                                                                        • Instruction Fuzzy Hash: 7B616D72E002299FDB14DFA9C881BAEBBF5FB55700F14442EE649EB291D771E900CB50
                                                                                                                                                        Function 01558350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c98f1db26b6e95db80bad0aa5713b1dbb7a9e5509cafb5545ba62d96d7ff8a1f
                                                                                                                                                        • Instruction ID: 6b70b88331cd2b5875e27b4cb7d36eb547d8eda8777cd8c0db9a4e8bcd1bdc56
                                                                                                                                                        • Opcode Fuzzy Hash: c98f1db26b6e95db80bad0aa5713b1dbb7a9e5509cafb5545ba62d96d7ff8a1f
                                                                                                                                                        • Instruction Fuzzy Hash: FD51BD70900705DFD761CF5AC890AABFBF8BF94714F104A1FEA929B6A1C7B0A541CB50
                                                                                                                                                        Function 014EE443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 3b1d6c48604ae19804c2dfc967fda7724702173dae95ba62782abe70b1ec75da
                                                                                                                                                        • Instruction ID: 420b28202bd8bcd9f9f08f4a1c63670f769bf84cb70431fca85722179ca65a80
                                                                                                                                                        • Opcode Fuzzy Hash: 3b1d6c48604ae19804c2dfc967fda7724702173dae95ba62782abe70b1ec75da
                                                                                                                                                        • Instruction Fuzzy Hash: 2A517E72200A15DFCB22EFAAC984EAAB3F9FF25744F51046EE65197270D734E941CB50
                                                                                                                                                        Function 01554180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a5dbd0b363466d0d122f4ab9bb6122d55b3a2478124646e55aa9eda8b981d0bc
                                                                                                                                                        • Instruction ID: 138564701b1869d3a744ffc76d0614d28d21bacecf8853dabef2f057afb60306
                                                                                                                                                        • Opcode Fuzzy Hash: a5dbd0b363466d0d122f4ab9bb6122d55b3a2478124646e55aa9eda8b981d0bc
                                                                                                                                                        • Instruction Fuzzy Hash: C9518F716083028FD794DF29C890A6FB7E5BFD8204F45492EF985CB261E730D985CB52
                                                                                                                                                        Function 014D45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                        • Instruction ID: 58eab6dd20cd9fecc70c37c1fa6b09511a92a942b84815f2f79914523fd97bf4
                                                                                                                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                        • Instruction Fuzzy Hash: 1A51EF75E0021AABDF12CF98C460BFEBBB5AF54310F09406AEA05AB360D734DD44CBA0
                                                                                                                                                        Function 0153E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                        • Instruction ID: 84b59caf878e72458e835e0250bc67135ed374ec1c47279324a3632ef2f5f913
                                                                                                                                                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                        • Instruction Fuzzy Hash: 9351B931D0020AEFDF169F94C896FAEBBF5FB90314F154659D6116B290D7709E418BA0
                                                                                                                                                        Function 01554978 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 38536b9cd7cb1d853e23224774d71d0bdfbf1ad97a89118cce66e8976536f49e
                                                                                                                                                        • Instruction ID: 3bd9f7732fa7e0b9e82c7a5c4758db6fb458a09dfe025b5078598fce2e8157f4
                                                                                                                                                        • Opcode Fuzzy Hash: 38536b9cd7cb1d853e23224774d71d0bdfbf1ad97a89118cce66e8976536f49e
                                                                                                                                                        • Instruction Fuzzy Hash: F8519272D0022A9BDF90DFA9D850AEEBBB5BF14A10F05412BED15BF250E7749841CBA4
                                                                                                                                                        Function 01578B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f8098024e3f0d7bb48b5287e1935c3c22eec316f95ef2a1a2eb6c0c7dbbc8f12
                                                                                                                                                        • Instruction ID: 764c00e6720f204bd8dd565b8cb2d5505fd2390541b74f14c3fce759befae6f4
                                                                                                                                                        • Opcode Fuzzy Hash: f8098024e3f0d7bb48b5287e1935c3c22eec316f95ef2a1a2eb6c0c7dbbc8f12
                                                                                                                                                        • Instruction Fuzzy Hash: B041DB717016129BD725DB2DE89AF7FBB9AFFD0620F088519E9598F280D730D801C791
                                                                                                                                                        Function 014CE627 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 468cf280ef63ca2932d86db38c47f2c48e98f66f0ae68285431190e3236ef1b0
                                                                                                                                                        • Instruction ID: c9927c52ccfe604bae69f3ffbcc217884c8ad1d75ae317650346e3a148ef7c3d
                                                                                                                                                        • Opcode Fuzzy Hash: 468cf280ef63ca2932d86db38c47f2c48e98f66f0ae68285431190e3236ef1b0
                                                                                                                                                        • Instruction Fuzzy Hash: 5641C17A5093029BD761DA76C840B6FBBE8AF98A04F44092FF684F7260E774D905C792
                                                                                                                                                        Function 0153CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1f0a58eb807297c655ebc58533a219c7a53fd742b1427339274873b13fb02e3d
                                                                                                                                                        • Instruction ID: 5e3813d31fb3726cab0727e69ad9d050adaa67f9a606f4ea7fb120aa928ed561
                                                                                                                                                        • Opcode Fuzzy Hash: 1f0a58eb807297c655ebc58533a219c7a53fd742b1427339274873b13fb02e3d
                                                                                                                                                        • Instruction Fuzzy Hash: 7A518E7590021ADFCB20DFA9C98499EBBB9FB98314B55491AE516BB300D734AD01CB90
                                                                                                                                                        Function 0157A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                        • Instruction ID: 42dd89a2f412ab4c8c8be773bcb08255b2e0e6a5823ad9368aaec86c0885ff64
                                                                                                                                                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                        • Instruction Fuzzy Hash: F041F9726007169FDB25DF28D981A6FB7E9FF90210B09462EE9568F640EB70ED14C7D0
                                                                                                                                                        Function 014E01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5e8fe7a896e98fad32e1d27832541b67f6c0cffaa56dbac167121f190c901e54
                                                                                                                                                        • Instruction ID: a366b117288730945c38f04393a2189fe4d3421a757511f273caabaa6197d243
                                                                                                                                                        • Opcode Fuzzy Hash: 5e8fe7a896e98fad32e1d27832541b67f6c0cffaa56dbac167121f190c901e54
                                                                                                                                                        • Instruction Fuzzy Hash: 1541AC36A012159BDB11DF98C444AEEB7F4BF58611F14812BF825AB360D7B49C42CBA4
                                                                                                                                                        Function 014F2750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                        • Instruction ID: fb63e463adf30970e5ae953e7002f958b1a6a9df7238b4dc64974d23b8e6d93d
                                                                                                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                        • Instruction Fuzzy Hash: 84516C76A00625CFCB15CF58C480AADF7B2FF85710F2481A9D915AB795D770EE42CB90
                                                                                                                                                        Function 014B6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 575c645b5bf9077f0663018236f19afeb329b2874d2c121d50b1a6018be9275e
                                                                                                                                                        • Instruction ID: 9a52bb93c7c1d7a8a931b4da5453ed6c82db547a501a5b9fb999efade10dbcb4
                                                                                                                                                        • Opcode Fuzzy Hash: 575c645b5bf9077f0663018236f19afeb329b2874d2c121d50b1a6018be9275e
                                                                                                                                                        • Instruction Fuzzy Hash: C6510670940217DBEB2A9B28CC40BEDBBB1FF21314F1582AAD5259B2E5D7749981CF50
                                                                                                                                                        Function 014B0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 197783bf2be15d7a3d6aa48847f7383877db1fa6b7a4e9e0b247210c0c79535e
                                                                                                                                                        • Instruction ID: d83d085b63af053fe4ef72de6650f063db1b4e833fbf122d0e769eec37abc7ed
                                                                                                                                                        • Opcode Fuzzy Hash: 197783bf2be15d7a3d6aa48847f7383877db1fa6b7a4e9e0b247210c0c79535e
                                                                                                                                                        • Instruction Fuzzy Hash: 9041C476A00228DBDB21DF69C881BEE77B4FF54740F0504AAE908AB251D7749E81CF91
                                                                                                                                                        Function 0152C730 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1c352825921c115f9edaa526fa57d8c187bb005b34684941d22b7027565808fe
                                                                                                                                                        • Instruction ID: 233010fd1aa6017fbb8acfdaafa7a99b6ed9e0845192fd29e1e2bc1367866f4e
                                                                                                                                                        • Opcode Fuzzy Hash: 1c352825921c115f9edaa526fa57d8c187bb005b34684941d22b7027565808fe
                                                                                                                                                        • Instruction Fuzzy Hash: 754146F2D0052DAADB21DA50CC84FDE777CBB55714F0085A9E708AB191DB709E498FA4
                                                                                                                                                        Function 0157866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                        • Instruction ID: dec2726912a24e31e2d62df118fc6b858314ebd5b1a466267891ffa05a341a01
                                                                                                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                        • Instruction Fuzzy Hash: B341A675B00106ABDB15DF99DC9AABFBBBABF98600F244069E905EB341D670DD01C7A0
                                                                                                                                                        Function 014B0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 94a79caa1505723f988b1de932195bba06284d1b069bcd920656012608591244
                                                                                                                                                        • Instruction ID: 1a7a47ae35e795cae5f0f790434729828ff2a88af28662a560e27127e5efeda2
                                                                                                                                                        • Opcode Fuzzy Hash: 94a79caa1505723f988b1de932195bba06284d1b069bcd920656012608591244
                                                                                                                                                        • Instruction Fuzzy Hash: 4341E2706007029FE325CF29C580A67B7F5FF58315B144A6FE55787A60E770E846CBA0
                                                                                                                                                        Function 014DA470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 39b51515a2f89d82a165a1667e9f60013c190c7e54e76b83370996f3e2e08251
                                                                                                                                                        • Instruction ID: 4f9761fdef475f628bee202c345a1027d5f6167523bb2cdcee5ff9ea70806965
                                                                                                                                                        • Opcode Fuzzy Hash: 39b51515a2f89d82a165a1667e9f60013c190c7e54e76b83370996f3e2e08251
                                                                                                                                                        • Instruction Fuzzy Hash: 0341F332980205CFDF22DF68C4A47EE7BB4FB54310FA9016AD521AB3A5DB74D905CB64
                                                                                                                                                        Function 014B8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ede6530af7a30ceee49f400e42f9a89ab1b13c3320dec0d2a942d03e0816ad8f
                                                                                                                                                        • Instruction ID: c8894c0cc2324323e133c68e6a18e73e49de61aa8b7d87233602c008259f3aeb
                                                                                                                                                        • Opcode Fuzzy Hash: ede6530af7a30ceee49f400e42f9a89ab1b13c3320dec0d2a942d03e0816ad8f
                                                                                                                                                        • Instruction Fuzzy Hash: 96412671900203CBD7259F89C880A9EBBBDFB94710F69802FD5219F365D374D802DBA0
                                                                                                                                                        Function 014A8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 852607fbd45ab082d79a3b90bbafac534dbf176da75e7864998eed113dd304b6
                                                                                                                                                        • Instruction ID: 1563115baf6075314d793e181214efa8859266b146d8974e13fac53c07ac018e
                                                                                                                                                        • Opcode Fuzzy Hash: 852607fbd45ab082d79a3b90bbafac534dbf176da75e7864998eed113dd304b6
                                                                                                                                                        • Instruction Fuzzy Hash: AC414D755083069ED712DF658880A6BF6E9FF94B54F81092FF984DB260E730DE058B93
                                                                                                                                                        Function 014AA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                        • Instruction ID: f6ba070304c21f8246e5a20796d76cd38e1ecfbf0ae882d6fc5173ea4f873110
                                                                                                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                        • Instruction Fuzzy Hash: 85413C75A04211DBDB12DE9984C0BBEBB71FB70754FA7806FE9558F290D6329D40CB90
                                                                                                                                                        Function 014B09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 968686f8fa13ab371cc3efe7481d8f9c4dc706387fc77cfad1cc7e0a48b1c255
                                                                                                                                                        • Instruction ID: dcb146371944a3248aaa56a80c3f80fd07aaec60d6fb9d8fd7cfdec2437a9932
                                                                                                                                                        • Opcode Fuzzy Hash: 968686f8fa13ab371cc3efe7481d8f9c4dc706387fc77cfad1cc7e0a48b1c255
                                                                                                                                                        • Instruction Fuzzy Hash: D7414A71640601DFD721CF59C880B67BBF4FB68715F248A6EE4498B361E771E9428BA0
                                                                                                                                                        Function 014E0710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                        • Instruction ID: bbbfb0c8504e505f416fe5459eaf85b227ccad997d719644269bdd719926071d
                                                                                                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                        • Instruction Fuzzy Hash: 11413975A00605EFDB24CF99C994AAABBF4FF18701B10496EE566D7260D370EA44CF50
                                                                                                                                                        Function 014BA2C3 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b5dee811b708dd3c608e3566c1a6c4e80468056f6c8ff099fc394039054ed61a
                                                                                                                                                        • Instruction ID: e40e05d34f0f381162dc300cdee200ef58d0d5bdf797388bd8291924d82ed589
                                                                                                                                                        • Opcode Fuzzy Hash: b5dee811b708dd3c608e3566c1a6c4e80468056f6c8ff099fc394039054ed61a
                                                                                                                                                        • Instruction Fuzzy Hash: 0141AF30A05649DBEB12DF59C480BAE7BB4FF94700F24806AE900DF3A5E375D941CB60
                                                                                                                                                        Function 014EC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2a27da9df19fac2e3ba102ab3c20c93a1e54ebbbd1755c3c76ad16b8b817ab0d
                                                                                                                                                        • Instruction ID: 86850f4f2da0876ab766f76735dbf546c65b5189a5caa1f47818cd3a8b8d9fb2
                                                                                                                                                        • Opcode Fuzzy Hash: 2a27da9df19fac2e3ba102ab3c20c93a1e54ebbbd1755c3c76ad16b8b817ab0d
                                                                                                                                                        • Instruction Fuzzy Hash: 84317AB2A01355DFDB12DFA8D040799BBF0FB49715F2081AED119EB2A1D3369902CF90
                                                                                                                                                        Function 014A80A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 634bb28c4a9080652c91686a188394e313146d6190dde2d75df43e1b165c948b
                                                                                                                                                        • Instruction ID: d6d98750c9ce7f1d2e14774ba121fe4d84a2830896fc4c5ef8c83a7e2c43d915
                                                                                                                                                        • Opcode Fuzzy Hash: 634bb28c4a9080652c91686a188394e313146d6190dde2d75df43e1b165c948b
                                                                                                                                                        • Instruction Fuzzy Hash: 8841F671A055179FCB01DF59C880AA9B7B1FF74761F55822BD815A72A0DB30FD428BD0
                                                                                                                                                        Function 015305A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 81775bcc6230d96f680ad0c0e07a4352cc5bdd4c76c13dc190940a699e814465
                                                                                                                                                        • Instruction ID: eea155453c0594f62a31ce23daffacc86061a13a13e31ea98d4604d57b87ad1a
                                                                                                                                                        • Opcode Fuzzy Hash: 81775bcc6230d96f680ad0c0e07a4352cc5bdd4c76c13dc190940a699e814465
                                                                                                                                                        • Instruction Fuzzy Hash: FA41BF726047429FD321DF69C840A6EB7E9BFD8700F144A2EF9949B690E730E905C7A6
                                                                                                                                                        Function 014A8B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 10f5f0c83505a635b783361741fb6087f9b7da836b102462a27fb598f6909609
                                                                                                                                                        • Instruction ID: ccaa4833b569f3e35b5e1e3db0a4af6f05982f28a16254814bfb2ca1e34fd8ea
                                                                                                                                                        • Opcode Fuzzy Hash: 10f5f0c83505a635b783361741fb6087f9b7da836b102462a27fb598f6909609
                                                                                                                                                        • Instruction Fuzzy Hash: 61418CB1A01206CFCB15CF69C98099DBBF1FFA8221B55862FD566A72B0DB30A9018F40
                                                                                                                                                        Function 014E2674 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ae411df427e57634da3db784acd7a76dfc70c059a9984c127c651c49c20b756e
                                                                                                                                                        • Instruction ID: 988f5b77da39e4489ee4c14a288a47bdb4192b037a467266880713f93cb3ef1b
                                                                                                                                                        • Opcode Fuzzy Hash: ae411df427e57634da3db784acd7a76dfc70c059a9984c127c651c49c20b756e
                                                                                                                                                        • Instruction Fuzzy Hash: 82310B3BF4022577FB119A958C45F6B7BACEB95A51F15005BFA04AF260D2B09A01C7A1
                                                                                                                                                        Function 014C02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                        • Instruction ID: 507d2dfbdf8dcf0e3e5e3fce6fbe9bb670eb388c9f922aeabcb58effc63ce9ca
                                                                                                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                        • Instruction Fuzzy Hash: 54310439A04245EBDB528B69CC84BDBBBE8AF54750F0441ABF415DB362C7749844CBA0
                                                                                                                                                        Function 0155E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0629dafa43cbd7cbfe8a99619c9559a6f9447a23b9d7c2b5410b0b36fd3fa064
                                                                                                                                                        • Instruction ID: c68f0d4a8bf5047e691bed359d58786cdb348bc3f1f0b173510e16c30eab1bef
                                                                                                                                                        • Opcode Fuzzy Hash: 0629dafa43cbd7cbfe8a99619c9559a6f9447a23b9d7c2b5410b0b36fd3fa064
                                                                                                                                                        • Instruction Fuzzy Hash: 2131AA75740706EBDB229F558C51F6FBAA8FB58B50F01002EFA00AF291DAB4DD00C7A0
                                                                                                                                                        Function 01564B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b1592ffd6698be637ae4b21aaa2de8930c0005bb3e02587e8383aaf99c44308e
                                                                                                                                                        • Instruction ID: 123dd9031dd11102a4d4cc45b1797793cea82616acb9f64039b4564b93878b0f
                                                                                                                                                        • Opcode Fuzzy Hash: b1592ffd6698be637ae4b21aaa2de8930c0005bb3e02587e8383aaf99c44308e
                                                                                                                                                        • Instruction Fuzzy Hash: 2F31D4322052018FD721DF1DD890E2ABBE9FB80360F4A446EE9658F765DB30E844DBD1
                                                                                                                                                        Function 014B4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 60c908a732cc9169bb3e6601021a61a96f11b122e1da52fb10450594480567a1
                                                                                                                                                        • Instruction ID: cd32e53bc1695d58d8a7d5e41fb9a233e158dcfa04ac927558645c0de84c2b8b
                                                                                                                                                        • Opcode Fuzzy Hash: 60c908a732cc9169bb3e6601021a61a96f11b122e1da52fb10450594480567a1
                                                                                                                                                        • Instruction Fuzzy Hash: 1F41D171200705DFD722DF28C880FDA7BE4BF55710F18842EE6AA8B2A1C770E845CB60
                                                                                                                                                        Function 01564BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0753d762af869ed6307a1119823acd8ea7af4befc70577c2806a4bcbb8641c41
                                                                                                                                                        • Instruction ID: 219c28dc1655a5d4198cf1347ef4cbb64128424c8d3105a7ecaaf2482d9f7ab6
                                                                                                                                                        • Opcode Fuzzy Hash: 0753d762af869ed6307a1119823acd8ea7af4befc70577c2806a4bcbb8641c41
                                                                                                                                                        • Instruction Fuzzy Hash: B4318F716042018FE720DF29C890E2ABBE9FB84750F0A496DF9659F795E730EC04DB91
                                                                                                                                                        Function 0152EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a3d5b8555cecad70755434b3b47d2bf333a5ad2142742c7f50c9f9f79181b0b6
                                                                                                                                                        • Instruction ID: 92a1fe4866dac4facea1c8a635d9c3df0ee44851ddc5d835cbe8eb9df2e8835a
                                                                                                                                                        • Opcode Fuzzy Hash: a3d5b8555cecad70755434b3b47d2bf333a5ad2142742c7f50c9f9f79181b0b6
                                                                                                                                                        • Instruction Fuzzy Hash: 0D31D4336016A29BF3229B9DC949B697BD8FB56B44F1D00A4EA459F6E1DB38D841C220
                                                                                                                                                        Function 015761C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d420823ada81aa5ff699fd86e66ef4d94daa2b18c776a827efd6eea7d17b8848
                                                                                                                                                        • Instruction ID: b444856efcb3afc6b8849738e260df317897d9e8642fb612780ff0490b3e5836
                                                                                                                                                        • Opcode Fuzzy Hash: d420823ada81aa5ff699fd86e66ef4d94daa2b18c776a827efd6eea7d17b8848
                                                                                                                                                        • Instruction Fuzzy Hash: 6031EF76A0061AABEB15DF98CC41BAEB7B9FB48B40F454169E900EF254D770ED00CBA4
                                                                                                                                                        Function 0155483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5e6a6e0f00d3e40ba6f40e8dbfd5cfc1e5ff04b0ad0ae78b9ac6013209b59f6d
                                                                                                                                                        • Instruction ID: 36c8736331c32b8240f4238edbbbed2807408fd718199e3515d1d96308fa7e70
                                                                                                                                                        • Opcode Fuzzy Hash: 5e6a6e0f00d3e40ba6f40e8dbfd5cfc1e5ff04b0ad0ae78b9ac6013209b59f6d
                                                                                                                                                        • Instruction Fuzzy Hash: 40318776A4012DABCF61DF55DC84BDE7BB9BB98310F1000A6E908A7260DB30DE91CF90
                                                                                                                                                        Function 014DEB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dd85e5ce83020affcfef7b42921ffffce984d8aae5ac4891ad873501d353572d
                                                                                                                                                        • Instruction ID: 3bd9522021c5c743b7e936f0340e79e1240932fc6bd243a58607b7fad666238c
                                                                                                                                                        • Opcode Fuzzy Hash: dd85e5ce83020affcfef7b42921ffffce984d8aae5ac4891ad873501d353572d
                                                                                                                                                        • Instruction Fuzzy Hash: 3931B972E00215AFDF21DFA9CC40AAFB7F8EF54750F01442BE515EB260D6709E019BA0
                                                                                                                                                        Function 015760B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 916607cd3a4a56bae38221e2761aed78aa509ab269e3fa045be8378f24c4d85d
                                                                                                                                                        • Instruction ID: d81d264e7620a2bcacc94982002c0355dddd0fb2f4b8575fb3d4da1ce5fbb322
                                                                                                                                                        • Opcode Fuzzy Hash: 916607cd3a4a56bae38221e2761aed78aa509ab269e3fa045be8378f24c4d85d
                                                                                                                                                        • Instruction Fuzzy Hash: AD31E235B40A02EFEB129FAAE845A6EBBB9BB54754F00406EE505DF352DA70DC008B90
                                                                                                                                                        Function 014B07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 95559be6f0340a5be8263d094d064faa060e8b8badede29988900e382be853aa
                                                                                                                                                        • Instruction ID: 77359e30ae485adcf7962e23be4f215460a623fabf92c0f04d3b3782521b3818
                                                                                                                                                        • Opcode Fuzzy Hash: 95559be6f0340a5be8263d094d064faa060e8b8badede29988900e382be853aa
                                                                                                                                                        • Instruction Fuzzy Hash: E131C272A04612DBC712DE6988C0AABBBB5AFA4651F01452EFD55AB330DB30DD0287F1
                                                                                                                                                        Function 014B8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: eca696fb1d96b4ce4b5218e269fdd02eea16379c6ea8ff4845a11a99696e4ddd
                                                                                                                                                        • Instruction ID: 48bf1cd5813f7cf08be5046dc89cb704ff0db9e8ee0c03525304b8802b78d68d
                                                                                                                                                        • Opcode Fuzzy Hash: eca696fb1d96b4ce4b5218e269fdd02eea16379c6ea8ff4845a11a99696e4ddd
                                                                                                                                                        • Instruction Fuzzy Hash: 513181716053028FE721CF19C840B5BBBE5FB98700F154A6EF9849B365D770E944CBA1
                                                                                                                                                        Function 0152CA72 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8e18a2997071cbed2aab9d00d753d99c14139cf8a200979899886ce11001ac55
                                                                                                                                                        • Instruction ID: 89eaea1803acb5bc0f4dbd8044849350882c652864046b247ed174fcbbb90a5d
                                                                                                                                                        • Opcode Fuzzy Hash: 8e18a2997071cbed2aab9d00d753d99c14139cf8a200979899886ce11001ac55
                                                                                                                                                        • Instruction Fuzzy Hash: AA31033790052AAFEB15DB59C851E6FBBB4FB92760F014169E905AB292D730DE00DBE0
                                                                                                                                                        Function 014EA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                        • Instruction ID: 98ce1d0e44b87bed9815603be767ccee0e5862a7e30c08199dbdb7dadfde9c23
                                                                                                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                        • Instruction Fuzzy Hash: 3B312DB2B00711AFD761CF69CD44B57BBF8BF19A50F14092EA59AC7761E670E900CB60
                                                                                                                                                        Function 014D438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 27a73aed8291d896c095418ed25caa6d11c6b193c9f06451c24f4743a742b12d
                                                                                                                                                        • Instruction ID: f5f261eabcaf568b6d57ff2f5bec2513f602fcafd52ec8e588cb50361f9ae003
                                                                                                                                                        • Opcode Fuzzy Hash: 27a73aed8291d896c095418ed25caa6d11c6b193c9f06451c24f4743a742b12d
                                                                                                                                                        • Instruction Fuzzy Hash: 5431F631B002069FDF20DFA9C990A6E77F9BBA4704F08853BD115D7A64D730D985CB90
                                                                                                                                                        Function 014ACB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                        • Instruction ID: 2b785ae602ea395b3722df95624c556e73bf6f33cd65e5337a103566b48c5895
                                                                                                                                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                        • Instruction Fuzzy Hash: A6210B36E4025A6ADB119BB98440BEFBBB5AF24740F0680369E15EB350E270C90087A0
                                                                                                                                                        Function 014AC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c103d0739bc4a98e0e2009d9e3daef551ddac6ca4e9ba4f18ab86acfcd58d14d
                                                                                                                                                        • Instruction ID: 36a6618a53757a087ead71d29634629b914b024c7cd3eae35afe7e9712c7a461
                                                                                                                                                        • Opcode Fuzzy Hash: c103d0739bc4a98e0e2009d9e3daef551ddac6ca4e9ba4f18ab86acfcd58d14d
                                                                                                                                                        • Instruction Fuzzy Hash: FA3149755003018BD722AFD8CC40BBD77B4BF60314F94816ED9469F3D2DA749986CB90
                                                                                                                                                        Function 0156C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                        • Instruction ID: 13bc934ce80caa820fa68e92e5ec960b2a908d0a29bb514d2d5fd56085407ad3
                                                                                                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                        • Instruction Fuzzy Hash: B021FD3660065366CB15EB958800EBABBB9FF90752F40841FFAD58F661E635D950C3E0
                                                                                                                                                        Function 014AE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 09ba03f34fbc535c18b054243fc4bffbe09bf398ce8cbc159764d172fef35481
                                                                                                                                                        • Instruction ID: 2a3325bb3e7447f9a36f3759487cbfb0cf77b8c25341051285b11c79ec1bccf2
                                                                                                                                                        • Opcode Fuzzy Hash: 09ba03f34fbc535c18b054243fc4bffbe09bf398ce8cbc159764d172fef35481
                                                                                                                                                        • Instruction Fuzzy Hash: 9431F632A0051C9BDB31DF19CC41FEE77B9AB35740F4201A6E655BB2A0D6749E818FA0
                                                                                                                                                        Function 014E4588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                        • Instruction ID: 2d7c26e9799eb7191f5149758321c1ec6ce705230e14f7feabf1661fca77048b
                                                                                                                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                        • Instruction Fuzzy Hash: 1E21B431A00605EFCB10CF69C584A8EBBF5FF58311F14846AEE19DF250D678EA018F50
                                                                                                                                                        Function 014E44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9df6a3d01f0cc6383aabb0c3ac7cfc97d33d2ea3ca18d615638cce44e8a90c84
                                                                                                                                                        • Instruction ID: eb91a967f66a786c9a2da6cc5bc17d6a3c836b1943ed7d7f34ffebe23f1b446b
                                                                                                                                                        • Opcode Fuzzy Hash: 9df6a3d01f0cc6383aabb0c3ac7cfc97d33d2ea3ca18d615638cce44e8a90c84
                                                                                                                                                        • Instruction Fuzzy Hash: 9721E132A047459BCB22CF19C884B6B77E4FF8CB61F09452EFE549B651C734E9018BA2
                                                                                                                                                        Function 014AE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                        • Instruction ID: a3ba2d5a48ec5eb84b8adf707fb9ef468b7329489ac20e1a673be970ee074289
                                                                                                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                        • Instruction Fuzzy Hash: B531AD31600605EFE721CFA9C884F6AB7F9FF95354F1145AAE5129B2A1E770EE02CB50
                                                                                                                                                        Function 0152E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4ead0b7d1c1abf13b1f75a5c34bbcfe52261dd0cdf1e328f9c9c8cd17ffa1497
                                                                                                                                                        • Instruction ID: 1ee463600f0914b344b09664c9a9884655282ab24219a48744b6120be3f10f71
                                                                                                                                                        • Opcode Fuzzy Hash: 4ead0b7d1c1abf13b1f75a5c34bbcfe52261dd0cdf1e328f9c9c8cd17ffa1497
                                                                                                                                                        • Instruction Fuzzy Hash: 9B317C76A00216DFCB24CF58D885DAEBBB6FF85304B19445AE8099F391E771FA41CB90
                                                                                                                                                        Function 015306F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b21be251a846bc4253152ba9abfff22e647c121229d9e8fc0b8da554f75fffb3
                                                                                                                                                        • Instruction ID: 06942faf249d0da5f8104fdd9950dc948b55bb8657aa2cf93eaae229ee6b75f3
                                                                                                                                                        • Opcode Fuzzy Hash: b21be251a846bc4253152ba9abfff22e647c121229d9e8fc0b8da554f75fffb3
                                                                                                                                                        • Instruction Fuzzy Hash: 6A21917590022A9BCF21DF59C881ABEB7F4FF58740B55006AF541EB250D738AD42CBE1
                                                                                                                                                        Function 0153019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e9514390e0a7036c02e63ea5536572ee98520ab7591460e870aa326de413d597
                                                                                                                                                        • Instruction ID: 5c431ac09d8f3a9310010269995b2ccea44b39298ccea7b477e7b653fc2e1d87
                                                                                                                                                        • Opcode Fuzzy Hash: e9514390e0a7036c02e63ea5536572ee98520ab7591460e870aa326de413d597
                                                                                                                                                        • Instruction Fuzzy Hash: EA218971600645AFD715DF6DC840E6AB7A8FF98B40F14406EF904DB6A1E634ED41CBA8
                                                                                                                                                        Function 01530283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8cb7f4048bf491553b0bf77ada6e307e82b1a843be20d55a2a0c47430fd24833
                                                                                                                                                        • Instruction ID: 5de42b826a565b37fa705fab19b79242761c4350500d852c24c49842448d9698
                                                                                                                                                        • Opcode Fuzzy Hash: 8cb7f4048bf491553b0bf77ada6e307e82b1a843be20d55a2a0c47430fd24833
                                                                                                                                                        • Instruction Fuzzy Hash: E421B0729043469BD711EF6AC844BAFBBDCBFE1650F08445ABD80CB2A1D734D905C7A2
                                                                                                                                                        Function 014D2835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b737da4cd0cefdf079022dff565140fbbead3b79d373f426e1e804a33d75ac11
                                                                                                                                                        • Instruction ID: 993abae159a7aa01d6433b280bcee4b21c522115dbdfb435237056b20e23eedc
                                                                                                                                                        • Opcode Fuzzy Hash: b737da4cd0cefdf079022dff565140fbbead3b79d373f426e1e804a33d75ac11
                                                                                                                                                        • Instruction Fuzzy Hash: 4921DA31645AC29BF723976D8C55F693B94BB41B74F180365F9209F6F2DBB8C8028250
                                                                                                                                                        Function 014EA30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 03280c57cb61e32f9cc86a18a9fbfecedc8bc4fbad5f4e1b7e8b58e5058a01dc
                                                                                                                                                        • Instruction ID: a4b6751bf04146cad4e4c9fd10c4c3936691cd0e213af5fd42d0ef37748c5d90
                                                                                                                                                        • Opcode Fuzzy Hash: 03280c57cb61e32f9cc86a18a9fbfecedc8bc4fbad5f4e1b7e8b58e5058a01dc
                                                                                                                                                        • Instruction Fuzzy Hash: F621A93A240A119FC725DF2AC800B5AB7F5BF18B04F24846DE509CBB61E371E842CB94
                                                                                                                                                        Function 0156A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0318335c96599d132aeeded42f6ac355e6182acfdccc7ee2646599d5dfad4928
                                                                                                                                                        • Instruction ID: 3ff823e88f1c0c1b0eb3b5948bdeed875f9c36bcfae43cea51dcdfcd89a9f9d3
                                                                                                                                                        • Opcode Fuzzy Hash: 0318335c96599d132aeeded42f6ac355e6182acfdccc7ee2646599d5dfad4928
                                                                                                                                                        • Instruction Fuzzy Hash: F411E772380A127BE7229655AC41F6B769DABE4B60F51042DB708EF290EB70DC0187E5
                                                                                                                                                        Function 01530946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 01376fe8e838173437b0fb2e6341db207c636ee030188470724d41c1140e394a
                                                                                                                                                        • Instruction ID: 237f1f46d3711a6faacb41d2de06e261c6a548fe0646bfa035fc6d5f8305c56a
                                                                                                                                                        • Opcode Fuzzy Hash: 01376fe8e838173437b0fb2e6341db207c636ee030188470724d41c1140e394a
                                                                                                                                                        • Instruction Fuzzy Hash: E721EBB1E40349ABCB14DFAAD8809AEFBF8FF98710F11012FE505AB250D7709945CB60
                                                                                                                                                        Function 014C0BBE Relevance: .1, Instructions: 70COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 422efc2f8a0401ce0617cea6c5249a96079aa1afb3bcc9bcf823a3877fb77281
                                                                                                                                                        • Instruction ID: 42d84bff129d789081f16dd94e2b4998bd27bc937f8099209205dfe62ead0c4f
                                                                                                                                                        • Opcode Fuzzy Hash: 422efc2f8a0401ce0617cea6c5249a96079aa1afb3bcc9bcf823a3877fb77281
                                                                                                                                                        • Instruction Fuzzy Hash: 9311F0393A4102DFE76ADA18C440B6AB3A4FF91A15F19801EF4068F269EB70D841C740
                                                                                                                                                        Function 015480A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                        • Instruction ID: e960c9db7ba7d4a1c32ac46a4a4f45df1a4ac95e911756b80f6408184489ce04
                                                                                                                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                        • Instruction Fuzzy Hash: ED218C76A0020AEFDF129F98CC40BAEBBB9FF98714F20481AF905AB251D734D9509B50
                                                                                                                                                        Function 014E0124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                        • Instruction ID: 812bfa399e8f6e3bb9255193348e04552372803d9cd3a6cef093021100d82a65
                                                                                                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                        • Instruction Fuzzy Hash: 6611E272600605AFD7269F45CC84F9ABBB8EB90755F10006EF6108F2A0D6B2ED44CB50
                                                                                                                                                        Function 014B8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1e46796c4fb98cfc06cbb755f739c5ddf596eddac5da39f191e56a702aca4654
                                                                                                                                                        • Instruction ID: d22bbb0d255110ac6197a3da449b4709f878a8dcadba14899c54d0c241bacae9
                                                                                                                                                        • Opcode Fuzzy Hash: 1e46796c4fb98cfc06cbb755f739c5ddf596eddac5da39f191e56a702aca4654
                                                                                                                                                        • Instruction Fuzzy Hash: 2E11B2357016129BDB11CF5DC8C0A9BBBEDAF5A715B1840BEEE08DF315D6B2D90287A0
                                                                                                                                                        Function 014B80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 494c91e032f693be1b9d4f42f6a8a95da1fb668c24b9a7a9c32610994658150d
                                                                                                                                                        • Instruction ID: 7bf0d8260f766cd43439918c1eae2b1dee3fd07f4f27a79b28b748804a11a212
                                                                                                                                                        • Opcode Fuzzy Hash: 494c91e032f693be1b9d4f42f6a8a95da1fb668c24b9a7a9c32610994658150d
                                                                                                                                                        • Instruction Fuzzy Hash: 14216F75A41206DFCB14CF58C581AAEBBB9FB88714F24416ED105AB365C771AD06CBE0
                                                                                                                                                        Function 014E674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: faaf490eeed8dd7c4abd23b7aea210e0ca80303deae27bc7850ac6ac4eb494c0
                                                                                                                                                        • Instruction ID: 99e6588ea48bde0def0ce754d6258fb6f2be854c751f0364e8fda9aa749deb32
                                                                                                                                                        • Opcode Fuzzy Hash: faaf490eeed8dd7c4abd23b7aea210e0ca80303deae27bc7850ac6ac4eb494c0
                                                                                                                                                        • Instruction Fuzzy Hash: 8D219D75640A01EFD7208F69C880F66B7F8FF64651F45882EE5AACB260DB70B840CB60
                                                                                                                                                        Function 01546870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 76a2fc22915cbd8741d7726fdb14c83dc9e6a17f95d37456466243296472579f
                                                                                                                                                        • Instruction ID: 8c3c391d11dfaf6eac21363f331c8f561d975d6bd02e929e5e419ea324c4b496
                                                                                                                                                        • Opcode Fuzzy Hash: 76a2fc22915cbd8741d7726fdb14c83dc9e6a17f95d37456466243296472579f
                                                                                                                                                        • Instruction Fuzzy Hash: F3119136240615EFD722DB5AC940F9A77E8FB96B68F114029F205DF261DBB0E901C7A0
                                                                                                                                                        Function 014DE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9be30806b0fe011657c0f5183fdb7c7757aa38e58693ea880065833ab2402f09
                                                                                                                                                        • Instruction ID: feac345b8fd9b35d0737d1592276eacb15739628bf543a2d9f3b61b685688c98
                                                                                                                                                        • Opcode Fuzzy Hash: 9be30806b0fe011657c0f5183fdb7c7757aa38e58693ea880065833ab2402f09
                                                                                                                                                        • Instruction Fuzzy Hash: 67114C373041109BCF1ACB29CC54A6F7796EBD1374B28493ED522DF3A0D9308802C790
                                                                                                                                                        Function 014C2B79 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 774b6cdfc3e78d9de782ac7cdb709cf519b014770327425a1d0c9c809117f2cd
                                                                                                                                                        • Instruction ID: 7c0a6f596e4274d3eaaed2a08fd6990ffc7aab2c5320c11561011ab34edf4f5f
                                                                                                                                                        • Opcode Fuzzy Hash: 774b6cdfc3e78d9de782ac7cdb709cf519b014770327425a1d0c9c809117f2cd
                                                                                                                                                        • Instruction Fuzzy Hash: F411A23AA056549BDB62CF89D844BAEBBB4FF04B50F08405BE904A7361D3B4AC41CB90
                                                                                                                                                        Function 014E66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a2b9d687694235760d17c422f7054ec4a430de7c993a1164e701c069fe0fb9fc
                                                                                                                                                        • Instruction ID: 7c688ee96434603c9e6e25424416d4726fb2b1841cdc965f08f34f87425905a9
                                                                                                                                                        • Opcode Fuzzy Hash: a2b9d687694235760d17c422f7054ec4a430de7c993a1164e701c069fe0fb9fc
                                                                                                                                                        • Instruction Fuzzy Hash: 4F11CE76A81205DFCB25CF99C584E5BBBF8AFA4611F06807FD9059B320EA70DD00CB90
                                                                                                                                                        Function 0157A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                        • Instruction ID: 870cf6af4d2813d2f372779847b5e813975c6db46bd475ebee74644816f2654a
                                                                                                                                                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                        • Instruction Fuzzy Hash: E511C436A0091AAFDB19CF58CC05B9DBBF5FFC4210F098269E8559B350E671AD51CB90
                                                                                                                                                        Function 0153E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                        • Instruction ID: 919af053fdc2bae4c7c4b353ee74aba2fdb86644b7eed32ef93f5cf327b00717
                                                                                                                                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                        • Instruction Fuzzy Hash: FC119E32A00605EFE7219F49C842B5AFBE5FBD6754F05842DEA099F1A0DB31EC41DB90
                                                                                                                                                        Function 014D27ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1b0c6833c4ace5a10b17b5821d87789dcb7b24ee4862615b0bb90056332f4b57
                                                                                                                                                        • Instruction ID: e9350882d7c1b3c59cedbc5918346e83c2af29756e2cb442c2d9a226dd0dcbe3
                                                                                                                                                        • Opcode Fuzzy Hash: 1b0c6833c4ace5a10b17b5821d87789dcb7b24ee4862615b0bb90056332f4b57
                                                                                                                                                        • Instruction Fuzzy Hash: F4010431206685AFF717A66ED895F6B6B9CFF90654F45006AF9008F2A1D974DC01C2B1
                                                                                                                                                        Function 014B4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b89300e8b5640f2e2d759dffe6e0702c2045a844e8dcf690dd8f86fe557700b6
                                                                                                                                                        • Instruction ID: 56599dd5df0bf37c4f74b4f15bbe78df14ee89c64f832fe692e27e5cfe0127a2
                                                                                                                                                        • Opcode Fuzzy Hash: b89300e8b5640f2e2d759dffe6e0702c2045a844e8dcf690dd8f86fe557700b6
                                                                                                                                                        • Instruction Fuzzy Hash: 1C110236200645AFDB21CFA9C884F977BA4EB96B64F18411BF9068B762C330E811CF70
                                                                                                                                                        Function 014E6620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a3025aceae59d620bfebc4d4b716be450c2c1818068e9d0d0fa66e2903088470
                                                                                                                                                        • Instruction ID: 9e19d16a9a2c206261fb2379cda1bae3886b0a5cd2f95b8dd6e10127155bbcb8
                                                                                                                                                        • Opcode Fuzzy Hash: a3025aceae59d620bfebc4d4b716be450c2c1818068e9d0d0fa66e2903088470
                                                                                                                                                        • Instruction Fuzzy Hash: B311C676910615ABDB21DF69C9C4B5EFBF8FF64741F51045ADA08A7320D730AD018F60
                                                                                                                                                        Function 014DE53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                        • Instruction ID: 2626b426c74c53f953475fcbbfc114854ebe696466d45e86c436607a8aff52d8
                                                                                                                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                        • Instruction Fuzzy Hash: 6211C2722016C29BFB239B6C8964B693B94BB00B88F1904A7DA419F662F339C847C250
                                                                                                                                                        Function 0153E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                        • Instruction ID: c992a37531869ac4e43bdbf7f562aa62aeba0fae5a328a1284557145cb5d026d
                                                                                                                                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                        • Instruction Fuzzy Hash: 5B019236600146AFE7229F59C842F5B7BE9FBD5B50F058429EA05AF260E771DD40CB90
                                                                                                                                                        Function 014AA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                        • Instruction ID: e23ee1a9611d0fceb18e0539f2c24cb9c386511688be966afecbbfc218c52a83
                                                                                                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                        • Instruction Fuzzy Hash: 4B0126365047229BCB318F19D840A377BA4EF65B60751852FFD958B3A1C331D421CB60
                                                                                                                                                        Function 01584940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2f04a2f25c0831fc91e2fae3bc0f3df4bb2ba79d7ce2272b90e5ed5d674e4c28
                                                                                                                                                        • Instruction ID: f3bc2ac38cd95c81525461f886ed77ceac7796acca477bc97f7908fe7c41cc11
                                                                                                                                                        • Opcode Fuzzy Hash: 2f04a2f25c0831fc91e2fae3bc0f3df4bb2ba79d7ce2272b90e5ed5d674e4c28
                                                                                                                                                        • Instruction Fuzzy Hash: CF01D2725416129FC332EF1DD840F5AB7A8FB91770B264269EDA9AF1A6D730D801CBD0
                                                                                                                                                        Function 0152E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e425bcc5e73dfec9b6217363a40767316f2a6e40b230579513f73f4281946938
                                                                                                                                                        • Instruction ID: ffc1fe962d468ba3ca9c2158344ea70fe10d40827566d18bc69f399eb173a11d
                                                                                                                                                        • Opcode Fuzzy Hash: e425bcc5e73dfec9b6217363a40767316f2a6e40b230579513f73f4281946938
                                                                                                                                                        • Instruction Fuzzy Hash: CD110432241240EFCB15EF0ACC91F4A7BB8FF65B44F10006AF9059F2A1C231ED01CAA0
                                                                                                                                                        Function 014B6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6fdf6e32404514dd1bcb1ffe84a43aebb78848075c53b990fbf96312e3c161ac
                                                                                                                                                        • Instruction ID: 61a1e175bef959cf983d783d4aa62f65f26c2bf83fd7b6fc300dbf3d27b241dc
                                                                                                                                                        • Opcode Fuzzy Hash: 6fdf6e32404514dd1bcb1ffe84a43aebb78848075c53b990fbf96312e3c161ac
                                                                                                                                                        • Instruction Fuzzy Hash: 11119E7054121CABEB25AF25CC41FE97274BB14710F5041DAA714AA1F0D6709E81CF94
                                                                                                                                                        Function 01536050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 68f773ca8382bcb45bc72b8426df6ff399d00b961d98d698ab01f185d5cc3701
                                                                                                                                                        • Instruction ID: a7cbc382d4aef3bf92a072dfa35a08495a12b97e37136c8b47b97b154c28e974
                                                                                                                                                        • Opcode Fuzzy Hash: 68f773ca8382bcb45bc72b8426df6ff399d00b961d98d698ab01f185d5cc3701
                                                                                                                                                        • Instruction Fuzzy Hash: B0111772900019BBCB11DB95CC84DDFBBBCEF58254F05416AE916AB211EA34EA15CBE0
                                                                                                                                                        Function 014B208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                        • Instruction ID: 051dad6cae527dd77b7068c67086cc36a97c5099fd2184411389577db307fc2a
                                                                                                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                        • Instruction Fuzzy Hash: A601F5726001019BEF229E59D8C0F967766BFD4600F1540ABEE018F2A6DAB1AC82C7A0
                                                                                                                                                        Function 01546500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 346fe599c2d6088be272bb38646307cfb78b2511e530efb6d10d6692bbcc0bb7
                                                                                                                                                        • Instruction ID: 9fa0c7bd7b9b447ab958a79e2134ffd37285afa087b0d9c5c27acb994346ecc2
                                                                                                                                                        • Opcode Fuzzy Hash: 346fe599c2d6088be272bb38646307cfb78b2511e530efb6d10d6692bbcc0bb7
                                                                                                                                                        • Instruction Fuzzy Hash: B611E1326401469FC301CF28C840BE6BBB9FB5A318F488159E8488F315D732EC80CBE0
                                                                                                                                                        Function 0153C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b9e8832685e2b6dfdbe72346f5fb8f88b69859aef8cf7c6f15abb9ca034f6e12
                                                                                                                                                        • Instruction ID: 1f4db67a18b74be452055826ea12726c012c6b4cf6526ef0131c78e8dc281054
                                                                                                                                                        • Opcode Fuzzy Hash: b9e8832685e2b6dfdbe72346f5fb8f88b69859aef8cf7c6f15abb9ca034f6e12
                                                                                                                                                        • Instruction Fuzzy Hash: EE11ECB1A002499FCB04DF99D541AAEB7F4FF58350F14406BA905E7351D674EE01CBA4
                                                                                                                                                        Function 0155EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 35e4602103cf1a002ff650e99ad0c1707b68e06e8b045cff15ab098cf273d301
                                                                                                                                                        • Instruction ID: f274abb2148c852f7b3f7194d646e5dd51b5005a613a9657f77079e6785e7c68
                                                                                                                                                        • Opcode Fuzzy Hash: 35e4602103cf1a002ff650e99ad0c1707b68e06e8b045cff15ab098cf273d301
                                                                                                                                                        • Instruction Fuzzy Hash: 3E01F5354401119FC7B2AA36C415D3FFBA9FF61A50B48482FE9055F211CBB09D41CB91
                                                                                                                                                        Function 014AC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                        • Instruction ID: 8939f85876876f9519e8e55a0a2ea6f3954ec90b582d077388d7c8d87d4f38c6
                                                                                                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                        • Instruction Fuzzy Hash: CC012D321007059FEB33DAEAC440FA777F9FFD5610F45841EA9458B550DA71E402C750
                                                                                                                                                        Function 014F20F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 894e5ab2b914855ceff295d7e5dc006157776785f9d5f9d7894c619f294895eb
                                                                                                                                                        • Instruction ID: 1454bfc95359d78d0383576f6134ff5858b40967041b8beb4b0f1de74b0e3ad2
                                                                                                                                                        • Opcode Fuzzy Hash: 894e5ab2b914855ceff295d7e5dc006157776785f9d5f9d7894c619f294895eb
                                                                                                                                                        • Instruction Fuzzy Hash: 83115735A00209ABDB15EFA4C950EAF7BA5FB95650F10405EEA019B3A0DB35EE12CB90
                                                                                                                                                        Function 014EE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d632363efd60cfe1af6bdb348d89d98e4d2228abd9e4aaad33f76beb38283511
                                                                                                                                                        • Instruction ID: acb128826d9d9ae836aedf13fd24389a5415da5cb57eca70eb5f175827328063
                                                                                                                                                        • Opcode Fuzzy Hash: d632363efd60cfe1af6bdb348d89d98e4d2228abd9e4aaad33f76beb38283511
                                                                                                                                                        • Instruction Fuzzy Hash: 9001D476200512BBC351AB6ACD40E5BB7ECFB65A54B00053EB10597670DBB4EC01C6E4
                                                                                                                                                        Function 015469C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a74cd8e0ecb8082a55fa24a28992bbc5de5de594fe7ac55692db61e546fe9ee8
                                                                                                                                                        • Instruction ID: a6c5eb212537ce1442472acbbc2d1d52f99b1ecce3c92f8d7aa12b529a2958b1
                                                                                                                                                        • Opcode Fuzzy Hash: a74cd8e0ecb8082a55fa24a28992bbc5de5de594fe7ac55692db61e546fe9ee8
                                                                                                                                                        • Instruction Fuzzy Hash: 3A014C32214702DBC324DF6BD848AABBBE8FF55624F51452EE9588B290E7309941C7D1
                                                                                                                                                        Function 0153C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b93bbe43e0cf077b0cddd840a765b298ff7575afa2bf380d79d09a407f0db4f2
                                                                                                                                                        • Instruction ID: adc2d28e149da3fee3703a106585cabb9104af853223d7c75ec3858ce9f93ebf
                                                                                                                                                        • Opcode Fuzzy Hash: b93bbe43e0cf077b0cddd840a765b298ff7575afa2bf380d79d09a407f0db4f2
                                                                                                                                                        • Instruction Fuzzy Hash: C8116975A0020DEBDB15EFA9C844EAE7BB5FB98340F00405AFD01AB390DA35EE11CB90
                                                                                                                                                        Function 0153C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 985c37c4065799a4b3ac2e7b59f786f4f1189413a2d8c6cef2f048aeb9ea6a3b
                                                                                                                                                        • Instruction ID: 64d05f957144f4f9b314aa50fa198626c2db371d0359c456faf38e3fee22f323
                                                                                                                                                        • Opcode Fuzzy Hash: 985c37c4065799a4b3ac2e7b59f786f4f1189413a2d8c6cef2f048aeb9ea6a3b
                                                                                                                                                        • Instruction Fuzzy Hash: CB117CB16043049FC700DF69C44195BBBE4FF99710F00451FBA98D7360D630E900CB92
                                                                                                                                                        Function 014CE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                        • Instruction ID: d225c447e4e732da941ab3e68d3a9d845ed884de785dfce4346c436c9f977d92
                                                                                                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                        • Instruction Fuzzy Hash: 3E017C762006909FE323865EC948F6B7BD8FB84B54F0904AAF909DB6E2D778DC41C661
                                                                                                                                                        Function 014A826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6d9dbb835d46d64ce3abc84bab61cfe0ad7a7043f0e44b3efde8f484967ea318
                                                                                                                                                        • Instruction ID: 626b98902f0da175f484d07d844ad2a8ecbc81a4033c36fe2d6bb883fbc86f6d
                                                                                                                                                        • Opcode Fuzzy Hash: 6d9dbb835d46d64ce3abc84bab61cfe0ad7a7043f0e44b3efde8f484967ea318
                                                                                                                                                        • Instruction Fuzzy Hash: EF01AC32B00506DBD714EB69DC449BF77A9FFE0610B96406B99019B790DE70DD05C690
                                                                                                                                                        Function 0155EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 2030a28ab613a796ba1df8e59f0aa2cb52236e8ff2ee0e4cd21276d173f0376d
                                                                                                                                                        • Instruction ID: ebc6bd389c83b9ad4488890c93ccf33d2d421c22c7f7f4cf78adc8dcff93dc6d
                                                                                                                                                        • Opcode Fuzzy Hash: 2030a28ab613a796ba1df8e59f0aa2cb52236e8ff2ee0e4cd21276d173f0376d
                                                                                                                                                        • Instruction Fuzzy Hash: 9E01D4716806019FD3715B16D802F16FAA8FF64B60F01082FA6059F3A0C6F099418B94
                                                                                                                                                        Function 014B2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 29ac6893e4b8f1c8b6c35b270f4e6ec1b606b62b8b8782bf10ddfcdd2f9f7e8e
                                                                                                                                                        • Instruction ID: 7b2c7f490caa7b1c384305bbe6612fe6c0406304ef81692a6aebdc12c43b04db
                                                                                                                                                        • Opcode Fuzzy Hash: 29ac6893e4b8f1c8b6c35b270f4e6ec1b606b62b8b8782bf10ddfcdd2f9f7e8e
                                                                                                                                                        • Instruction Fuzzy Hash: 5BF0F933741610BBC7319F578D80F4B7AADEB94F90F00402EE60597650C670ED01DAB0
                                                                                                                                                        Function 014DC073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                        • Instruction ID: ec5b52c428682e86079021c2ecb59604e2b57a420f71c6f1a7e8292fa95b7aef
                                                                                                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                        • Instruction Fuzzy Hash: 70F0AFF2600611ABD325CF8ED940E57FBEADBD1A90F04812DA605CB320EA31ED04CB90
                                                                                                                                                        Function 0158634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f4ef28503a95eed61dffbcc1fc42a6778f748af5b4dc5d15fd22b601a5288ad0
                                                                                                                                                        • Instruction ID: a6f4ee909f26b48fcbc463032327d3aae9bf3cfa03fe38d4a7dcefa665a77332
                                                                                                                                                        • Opcode Fuzzy Hash: f4ef28503a95eed61dffbcc1fc42a6778f748af5b4dc5d15fd22b601a5288ad0
                                                                                                                                                        • Instruction Fuzzy Hash: 25018F71A10209EFDB00DFAAD440AAEB7F8FF58300F10402EFA00EB350DA349A01CBA0
                                                                                                                                                        Function 014AC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                        • Instruction ID: 84b34972989f37255d172d723e254d14be0cbc27d5f44bdf11df8d178c5bddbe
                                                                                                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                        • Instruction Fuzzy Hash: 70F021332046339FD772579E48C0B6BA5959FF5A64F9B003BF2059B360C9708D0257D0
                                                                                                                                                        Function 0158625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fb827024537ef3ad1564e9d518c4c36feb57da881b7ba6b25b1b4e2b88133a1e
                                                                                                                                                        • Instruction ID: 95801ae35a93d6dc6146e9d699eacd4c74ca4d3d507268708c726ab00bc1ac9b
                                                                                                                                                        • Opcode Fuzzy Hash: fb827024537ef3ad1564e9d518c4c36feb57da881b7ba6b25b1b4e2b88133a1e
                                                                                                                                                        • Instruction Fuzzy Hash: 93017171A00209EFDB04DFA9D441AAEB7F8FF58300F10405AF901EB350D6749901CBA0
                                                                                                                                                        Function 015862D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4746aed73eefcbbc976380cd48c6c656ca4e11eac2239b5061b8dfd3ab833f2e
                                                                                                                                                        • Instruction ID: 7385826691e7232370cf9e0389e06c6d898f7e7f36c63792804729575d8a4ec0
                                                                                                                                                        • Opcode Fuzzy Hash: 4746aed73eefcbbc976380cd48c6c656ca4e11eac2239b5061b8dfd3ab833f2e
                                                                                                                                                        • Instruction Fuzzy Hash: E2014471A00209EFDB04DFA9D441AAEB7F8FF58704F51405AFA14EB350DA749D01CBA4
                                                                                                                                                        Function 014ECA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                        • Instruction ID: cb2db47ab609a3fd8787f12548371d36283cc848365f61df88529c0e2758b676
                                                                                                                                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                        • Instruction Fuzzy Hash: 3901F9322006959BE322D79DD849F5ABBD8FF52754F08446AFA048F7F1D679C801C250
                                                                                                                                                        Function 015861E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 39f3f4eea05c7a57ac071cf8f67af252f61cbe038f991614956aed8914526b7b
                                                                                                                                                        • Instruction ID: b74d51fbe971f0d21613c4611247a281be220684f83534a66bf1a426d6058f1f
                                                                                                                                                        • Opcode Fuzzy Hash: 39f3f4eea05c7a57ac071cf8f67af252f61cbe038f991614956aed8914526b7b
                                                                                                                                                        • Instruction Fuzzy Hash: DF012C71A002499BDB04DFA9D545AEEBBF8BF58710F15405EE501AB390D774AA01CB94
                                                                                                                                                        Function 015320DE Relevance: .0, Instructions: 41COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b51dd5491c7eb571bc0317dd940bf173bb4d8675087fc21991a4d02ba3a6145b
                                                                                                                                                        • Instruction ID: 6a2fdf6efe337ec44f998b6ad8dc15cc675ab3ab0598f54b32752b40bf2920bd
                                                                                                                                                        • Opcode Fuzzy Hash: b51dd5491c7eb571bc0317dd940bf173bb4d8675087fc21991a4d02ba3a6145b
                                                                                                                                                        • Instruction Fuzzy Hash: CBF0C835680309BBEB24E64DCD46F9A7B68FB80B54F61005EF6006F295D6F0A504D691
                                                                                                                                                        Function 015363C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                        • Instruction ID: c3d9f1085a85ee966cf12c343d9415793766b0bfe9edaf8cfc6bee7b8df3663e
                                                                                                                                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                        • Instruction Fuzzy Hash: EFF01D7220001EBFEF019F95DD80DEF7B7EFB99698B114129FA1196160D631DE21ABA0
                                                                                                                                                        Function 014AC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ccef1700ef88d612eb8b594e004769cf0ff075c1c2f9bee86b65705cd5f7ff82
                                                                                                                                                        • Instruction ID: d3ac0413f69147f30b4c359dbf61fdb6fac956f8194a39c833f718d43dcb65f9
                                                                                                                                                        • Opcode Fuzzy Hash: ccef1700ef88d612eb8b594e004769cf0ff075c1c2f9bee86b65705cd5f7ff82
                                                                                                                                                        • Instruction Fuzzy Hash: 61F02B713043415BF791A6199C91F633695E7E0651FA6802BE7058F7F1EA70EC0187A4
                                                                                                                                                        Function 014E656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5b9b81082da0ec4571e8d4c4de3f7bde3bb72b973ec8b77babf63835359a73d3
                                                                                                                                                        • Instruction ID: 1d51b3aa208e21e6138ec778d8e6d5eb06f9f57ecac4364a5fc9c127a9afece0
                                                                                                                                                        • Opcode Fuzzy Hash: 5b9b81082da0ec4571e8d4c4de3f7bde3bb72b973ec8b77babf63835359a73d3
                                                                                                                                                        • Instruction Fuzzy Hash: 3E01A4713406819BF3229B2CDD4CF6A3BE4BB61B00F4A45A5FA118F6F6D778D8428710
                                                                                                                                                        Function 014EA5D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 1270f5c3063fcabcedf61b6331a0f3057f045b0fc1d245bf04d89b9c3960e102
                                                                                                                                                        • Instruction ID: d49ee98b739b474e3fe10c31a693d6b97736eda4245bf5ef7c0c346281555dd0
                                                                                                                                                        • Opcode Fuzzy Hash: 1270f5c3063fcabcedf61b6331a0f3057f045b0fc1d245bf04d89b9c3960e102
                                                                                                                                                        • Instruction Fuzzy Hash: 5A01ADB2240700AFD311DF24CE49B2677E8F795716F05897AA69CCB1A0E374D804CB46
                                                                                                                                                        Function 0155437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                        • Instruction ID: 25c62d06fbd35a42618cc7876f42ad9ac089c3c0cdda4396c7297ddd4da35069
                                                                                                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                        • Instruction Fuzzy Hash: F7F0E93534191347EBB5AB2E8430B2EA695BFA0D50B17053F9D01CF671EF20D8C08780
                                                                                                                                                        Function 014C0218 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e6c493c90a206a4297f7cbbbafc74d46b1e12e1948c4112ae1b67867a1e26a3c
                                                                                                                                                        • Instruction ID: e0c4311cd0c6cf04d8d02ee787b5e7725fe24fdc94bb9a8caa07c380bcda2d74
                                                                                                                                                        • Opcode Fuzzy Hash: e6c493c90a206a4297f7cbbbafc74d46b1e12e1948c4112ae1b67867a1e26a3c
                                                                                                                                                        • Instruction Fuzzy Hash: 0DF0947D991601CFE3A69F18C814B257BA2FB11F18FA2052FE1118F3A2D6B48C49CB51
                                                                                                                                                        Function 0153E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                        • Instruction ID: f0c069cacb3d0a44f690639d6aabb158ad440797878cd8dd5087b48b8df839d6
                                                                                                                                                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                        • Instruction Fuzzy Hash: A1F05E33B116129BE3219E4ECC81F5AF7E8FFD5A60F190479AA04AF260C760EC0287D0
                                                                                                                                                        Function 0153C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: bd73b8f2b5dc463b285113ac6d326d78cda76836ee9fa9f15c81e8018bb89b98
                                                                                                                                                        • Instruction ID: 5c6a35c4ac667797120e1f0dcf48d7292e4f00547e472c4795c8cfbb747bb9c4
                                                                                                                                                        • Opcode Fuzzy Hash: bd73b8f2b5dc463b285113ac6d326d78cda76836ee9fa9f15c81e8018bb89b98
                                                                                                                                                        • Instruction Fuzzy Hash: E9F0AF716053449FC310EF29C441A2BB7E4FFA8710F404A5FB998DB394EA34EA01C796
                                                                                                                                                        Function 014E0854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                        • Instruction ID: 531e9e65bbf29ab392893509ec4175f3d60376377f6ca969f4277b35fb6aef59
                                                                                                                                                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                        • Instruction Fuzzy Hash: 0EF0F072600201AEE314DB22CC04F46B6E9EFA8340F148079A584C72B0EAB0ED01C654
                                                                                                                                                        Function 0153C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 06d6a82499916a00bf4eff9d47410c63ca022a730f62cfd5f4f5e6aee605edc5
                                                                                                                                                        • Instruction ID: 7787f2b8f172e69bf0defefbfa153b3cf5fd2394a3fdb013432ed6f94eaf05e1
                                                                                                                                                        • Opcode Fuzzy Hash: 06d6a82499916a00bf4eff9d47410c63ca022a730f62cfd5f4f5e6aee605edc5
                                                                                                                                                        • Instruction Fuzzy Hash: DFF0C270A00249DFCB04EF69C511AAEB7F4FF68300F01805BB915EB395DA34EA01CB90
                                                                                                                                                        Function 014B47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 55fa585e24b655ad9ebc8045ba996a338b30f6b249ec626ea6ee5c543a72a960
                                                                                                                                                        • Instruction ID: a9178100a59bbcec488ad3ab709d370f022e074ba8b966de3b7fe6a1a71cd925
                                                                                                                                                        • Opcode Fuzzy Hash: 55fa585e24b655ad9ebc8045ba996a338b30f6b249ec626ea6ee5c543a72a960
                                                                                                                                                        • Instruction Fuzzy Hash: B8F096399156D19ED722975CC484B9277E4DB01B20F0C596BE58B87673C734D840C6A1
                                                                                                                                                        Function 01570115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ef2f4680c1543f88b46d5cb4fc65ec93f35fee8db376f34f1265f21effca98b6
                                                                                                                                                        • Instruction ID: 43dc0f42d2a4d4c318999d01d562bee0a998a32efa6496df3c2ba8008f6f3071
                                                                                                                                                        • Opcode Fuzzy Hash: ef2f4680c1543f88b46d5cb4fc65ec93f35fee8db376f34f1265f21effca98b6
                                                                                                                                                        • Instruction Fuzzy Hash: 02F0277A4596C20ECB326B3C7C622E97BA8B792110F4E2445E4B15F249CB748487D360
                                                                                                                                                        Function 014EC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 254b099ff3fb90ca845cab743db1ce698020a91f99569b52e6338d8b98531777
                                                                                                                                                        • Instruction ID: fae620401fc036c4b72b14fdf38a52d4d1565b6b360c8e53d21f1c6d26d29530
                                                                                                                                                        • Opcode Fuzzy Hash: 254b099ff3fb90ca845cab743db1ce698020a91f99569b52e6338d8b98531777
                                                                                                                                                        • Instruction Fuzzy Hash: 22F0E2715116519FE322973CC1CCB237BE4AB85BA2F089527D44E87672C374E882CE91
                                                                                                                                                        Function 014F2619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                        • Instruction ID: 4f706c64647eea87f12b11df6253cde8b0f54c78bc794464f93836be49d871dc
                                                                                                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                        • Instruction Fuzzy Hash: 46E092723006012BE7119E5A8C80F477B6EDFA6B10F04007EB6045E361C9F2DD0986A4
                                                                                                                                                        Function 01546030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                        • Instruction ID: 9f532e2ab1a0233ee8c048801ecf74569055263c5041560518538b7d21b9b182
                                                                                                                                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                        • Instruction Fuzzy Hash: 53F030722042049FE3218F0AD944F56B7F8FB16769F45C42AE6099F561D379EC40CFA4
                                                                                                                                                        Function 014D02FE Relevance: .0, Instructions: 28COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: eac4c193cda1c5d0edd12dac97c803a98939a1f4a9d065502a146353d1376ed5
                                                                                                                                                        • Instruction ID: 2b503671a16a63754a63e5e4924853f9c6a03d242b0cad432033e3de2d0de424
                                                                                                                                                        • Opcode Fuzzy Hash: eac4c193cda1c5d0edd12dac97c803a98939a1f4a9d065502a146353d1376ed5
                                                                                                                                                        • Instruction Fuzzy Hash: 39D0C936100248AFCF05DF41C8A1D9A772AEB98710F20941AF91907A118A71A962DA50
                                                                                                                                                        Function 014B0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                        • Instruction ID: e97dd21e21f21b3ecac7d16fe17ee97736fbf50f13ef1971edc4bd988b5c0716
                                                                                                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                        • Instruction Fuzzy Hash: 7CF0E5392047419BEB16CF19C090AEABBF8FB51350F1404AAF8468B361D731E983CBA0
                                                                                                                                                        Function 014E49D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                        • Instruction ID: ec7f7436a05f1a5581ce8527550e476935d76eda9582e18c6d00ce66c2e5c059
                                                                                                                                                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                        • Instruction Fuzzy Hash: 0DE0D832344145ABD3211A598808B6B77E6DBE07F2F19042FE200CB270DB70DC41C7D8
                                                                                                                                                        Function 01584164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9e903a5ea344887834462e23a8939dd7e95778efe14bf661ffc3ae538c19abb2
                                                                                                                                                        • Instruction ID: bcb988ad7650dc4b74b067ecc7d9015776dc26d5581ffa195bb14aa12151fc21
                                                                                                                                                        • Opcode Fuzzy Hash: 9e903a5ea344887834462e23a8939dd7e95778efe14bf661ffc3ae538c19abb2
                                                                                                                                                        • Instruction Fuzzy Hash: 65F0E531A256938FE772F72CD140B5D7BE0BB10A30F4A0565D8409F912C724DC40C650
                                                                                                                                                        Function 0155678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                        • Instruction ID: 58a1ef0ee828356f90ebafe76b6c57623e1f65e1b05dee9f63f6d8f3d9daf70d
                                                                                                                                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                        • Instruction Fuzzy Hash: E7E0D832A00110BBEB6197598D15F9A7EACEBA0EA0F05015ABA00DB0A0D530DE00C690
                                                                                                                                                        Function 015808C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                        • Instruction ID: 2cae2d0688497b81dcb3493aa8eb4cf339b9496c874a03612bb7bf587708f3fd
                                                                                                                                                        • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                        • Instruction Fuzzy Hash: 02E09B316507508BCB25AA1DC540A57B7E8FFD5661F158069E9055B653C231F887CAD0
                                                                                                                                                        Function 014B25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: ad628e45fc258a1aed759b908ef867e96e58cfe725879c2ec4a5b5f6e601abfa
                                                                                                                                                        • Instruction ID: eef76b57d673f71ff00efb3c55c8cf238fd578f4a9d8c2e7b2f0181a88a705e5
                                                                                                                                                        • Opcode Fuzzy Hash: ad628e45fc258a1aed759b908ef867e96e58cfe725879c2ec4a5b5f6e601abfa
                                                                                                                                                        • Instruction Fuzzy Hash: 8BE092321005549BC721BF2ADD41FCA7B9AEB70760F05452EB116571A0CA70B910C794
                                                                                                                                                        Function 0156A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                        • Instruction ID: cfb727c6273ebf1db038fbf5e1d370cfe3b81c78e415c64c9a769a6c7de436fd
                                                                                                                                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                        • Instruction Fuzzy Hash: 33E09231010612DFE7326F2BCC48B567AE4BFA0712F148C2EE196275B0C7B5D8C0CA80
                                                                                                                                                        Function 01534000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                        • Instruction ID: 3d3cf2faa22eb1939c7ed07b530af0633968fcdb1ec8cbe1f8c70438bb0cb0bd
                                                                                                                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                        • Instruction Fuzzy Hash: 6FE052793003459FE715CF59C054B66BBB6FFD5A50F28C069A9488F205EB36E842CB51
                                                                                                                                                        Function 014A823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                        • Instruction ID: 07d76dbbcecf9af2a48656554e2e2361acd1f1afcc6857c77a692e7a5bdfdc01
                                                                                                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                        • Instruction Fuzzy Hash: 22E0C233440A16EFDB322F16DC00F667AA1FF74B11F12486FE1811A1B487B1AC82CB44
                                                                                                                                                        Function 014B2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ab6bb3d979bc5fbffca2716a00d71f8ec0c456fc7c30fd2fa5fb8ebb032b4a72
                                                                                                                                                        • Instruction ID: f7304e52c198dfbc0a3d804f345db6c14cd16b1bf518545e113ee73694832114
                                                                                                                                                        • Opcode Fuzzy Hash: ab6bb3d979bc5fbffca2716a00d71f8ec0c456fc7c30fd2fa5fb8ebb032b4a72
                                                                                                                                                        • Instruction Fuzzy Hash: BFE08C321004506BC711FA6EDD40E8A739AEBB4660F05422AB1568B2A0CA70BC00C7A4
                                                                                                                                                        Function 014B2324 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1fb84a54a76b0b59f3231cdbb2d26b0abecede4783def34d10f1a66e2d715024
                                                                                                                                                        • Instruction ID: b5954fcb320247a770d0f633774037bbb15361031655bc3f743ad1263a71ec81
                                                                                                                                                        • Opcode Fuzzy Hash: 1fb84a54a76b0b59f3231cdbb2d26b0abecede4783def34d10f1a66e2d715024
                                                                                                                                                        • Instruction Fuzzy Hash: 55E04F35804046AFDF279FAAC545FDDBB71FB58300F54005ED800361B0CB745950C650
                                                                                                                                                        Function 014AA740 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3294d9e0611fd8cb7e020eb025cc7a1c6b4d32ac0b185834d9d821d574cb207a
                                                                                                                                                        • Instruction ID: 5997ca8026c08f47b5d0236c799737b65f06cc1c5cc4d1c2a420f30165d2cbb5
                                                                                                                                                        • Opcode Fuzzy Hash: 3294d9e0611fd8cb7e020eb025cc7a1c6b4d32ac0b185834d9d821d574cb207a
                                                                                                                                                        • Instruction Fuzzy Hash: A9E08C35500445EBDB27AB9ACC44FEEBA71BBA9700F5415AED1002A5B0C778A890CB90
                                                                                                                                                        Function 014EE59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                        • Instruction ID: d9a62ad77b94725edbf4bfe6e70919494c9ee5acdc86bfb037f79ef1940dcd57
                                                                                                                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                        • Instruction Fuzzy Hash: 6ED0A933204620ABD772AA1DFC00FC733E8BB98B20F06046EF008CB1A0C360AC81CA84
                                                                                                                                                        Function 0152E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                        • Instruction ID: 7dcd22e0075844abdee21cdbfd0ba622306e58c939f7338db4c6fad0ba4d8473
                                                                                                                                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                        • Instruction Fuzzy Hash: 86E0EC36A506849FDF56DF5AC640F9EBBB5FB95B40F150059E5086F661C734AD00CB40
                                                                                                                                                        Function 014AA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                        • Instruction ID: 07cea69311c4f675288d1399ed2ea72cd150e2b8652c3d25bef3ade18774e849
                                                                                                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                        • Instruction Fuzzy Hash: 95D02233216030A3DB285A566800FAB6905ABA0A90F2B002F340A93920C0248C43C2E0
                                                                                                                                                        Function 014EA830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                        • Instruction ID: 2b30d0d6f562431d04081a93601f665967568dd7d1bf0dc6a7ec7838ea936bbd
                                                                                                                                                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                        • Instruction Fuzzy Hash: F7D0123B1D054DBBCB119F66DC01F957BA9E764BA0F448025B504875A0C63AE950D584
                                                                                                                                                        Function 014C02A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                        • Instruction ID: 132f0681d367ed39186a8d25eb6d1ac5a36a5be8158694d6aed69e7dadb0d42c
                                                                                                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                        • Instruction Fuzzy Hash: 3DD09239216A80CFD65B8B0CC5A4B1633A4BB44F44F8108A5E402CBB22E638D940CA00
                                                                                                                                                        Function 014EC700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                        • Instruction ID: 107d34a8712ef7d06cc109673529fe5ea882d2740c080edcbe71c76707895d52
                                                                                                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                        • Instruction Fuzzy Hash: 3FC01237290648AFC712AE9ACD01F467BA9EBA8B40F004026F2048B670C631E820EA84
                                                                                                                                                        Function 014AE0D0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 29c6ea852d41930928c7777bce7a0cd2808746d73b2f7322a5704b92214c79f1
                                                                                                                                                        • Instruction ID: f0f5714b01c6ab09e59a210774fcde93ca93a0e08225ceb2dd0e7bcbb9a0800d
                                                                                                                                                        • Opcode Fuzzy Hash: 29c6ea852d41930928c7777bce7a0cd2808746d73b2f7322a5704b92214c79f1
                                                                                                                                                        • Instruction Fuzzy Hash: 91C04CF3B540A0AA8714DB625404B76658AA3F9205BCAC46EB1A5C6148D939C4019A64
                                                                                                                                                        Function 014D0310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                        • Instruction ID: 626d07713cfeaee269dded7690a6dcd15e043aef335ca46367e280f2ab4243af
                                                                                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                        • Instruction Fuzzy Hash: 2FD01236100248EFCF01DF41C890D9A772AFBD8710F108019FD19076108A31ED62DA50
                                                                                                                                                        Function 014B0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                        • Instruction ID: fe60abdd46e260a110d43e5c9a4b7b4e2b59edcf35f4c24369ffb2ccaf69ad40
                                                                                                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                        • Instruction Fuzzy Hash: 1BC04879701A428FDF16DF6AD294F9977E4FB54B40F254898E805CBB22E625EC02CA10
                                                                                                                                                        Function 014EA060 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
                                                                                                                                                        • Instruction ID: d2ffd7570f5c5b8134c5b50cfcd0fa9e933c932ff57b84c9c18b39e676c6a89c
                                                                                                                                                        • Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
                                                                                                                                                        • Instruction Fuzzy Hash: 7AB012730218809BCB1A6F05E940E413765E7D4730F35046DB007478718A34DC11D514
                                                                                                                                                        Function 014F4340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fd84632e7a69bed46eebd612467a354302e0796bf059af927783eeb53e602648
                                                                                                                                                        • Instruction ID: 5a72633ad7c9e3be4d09724c5b257a3283e8634c64c85065163972c7c56c2fab
                                                                                                                                                        • Opcode Fuzzy Hash: fd84632e7a69bed46eebd612467a354302e0796bf059af927783eeb53e602648
                                                                                                                                                        • Instruction Fuzzy Hash: C9900231A05C00529141719848849464045B7E0311B59C411E0424998CCA548A965361
                                                                                                                                                        Function 014F4650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e1c0c761174905b315ccd4c091fc42fd9933285cef9451b3d1318c2d79c9ae10
                                                                                                                                                        • Instruction ID: 5ce39958b90f9cec41714bf1e5a3668bd46edf3c1d56514b6630a8b2ac5053ba
                                                                                                                                                        • Opcode Fuzzy Hash: e1c0c761174905b315ccd4c091fc42fd9933285cef9451b3d1318c2d79c9ae10
                                                                                                                                                        • Instruction Fuzzy Hash: B4900261A01900824141719848048066045B7E1311399C515A05549A4CC65889959369
                                                                                                                                                        Function 014F2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 050120e8aa264e05e1837671ef2763d40cd4b6e468570d517886b8e3833bdbaf
                                                                                                                                                        • Instruction ID: 4a9b024d9579f61ac279025dd77b72fb597ad2916f1ce5cbc3ddc436ceeb35f1
                                                                                                                                                        • Opcode Fuzzy Hash: 050120e8aa264e05e1837671ef2763d40cd4b6e468570d517886b8e3833bdbaf
                                                                                                                                                        • Instruction Fuzzy Hash: 5490023160584882D14171984404E460055A7D0315F59C411A0064AD8DD6658E95B761
                                                                                                                                                        Function 014F2B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4e0bce032cfa49f8804ef0e2507e5820d9751f2e0f638c193b5c4c52d207bc17
                                                                                                                                                        • Instruction ID: a45b8fe9fb27ef2e18d7858f43b7f35a115fdb14fb2d0753e4b80327d2d1ccfb
                                                                                                                                                        • Opcode Fuzzy Hash: 4e0bce032cfa49f8804ef0e2507e5820d9751f2e0f638c193b5c4c52d207bc17
                                                                                                                                                        • Instruction Fuzzy Hash: 5390023160180842D10571984804A860045A7D0311F59C411A6024A99ED6A589D17231
                                                                                                                                                        Function 014F2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 62a0e22784d6f33af97f096e4142f72360e7466c47c13c77f7006e5c36c14dd4
                                                                                                                                                        • Instruction ID: 3f69722a6f6435c92c46f249e87e8efd62f73403341312b3a399803cc8fc8ebf
                                                                                                                                                        • Opcode Fuzzy Hash: 62a0e22784d6f33af97f096e4142f72360e7466c47c13c77f7006e5c36c14dd4
                                                                                                                                                        • Instruction Fuzzy Hash: 44900231A0580842D15171984414B460045A7D0311F59C411A0024A98DC7958B9577A1
                                                                                                                                                        Function 014E0A50 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
                                                                                                                                                        • Instruction ID: 76841ddcc09cbd5e72ffae3383617de5c57f1bfa1f8f853644ef12028e4d52b1
                                                                                                                                                        • Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
                                                                                                                                                        • Instruction Fuzzy Hash: F2A02232220880CFCB03BF80CA00F0033B0FF30A00FC880A8B00283830823CCC00CA00
                                                                                                                                                        Function 014F2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 579a0d47d7b3b74873c25842ab4b3e8753cbf2ad09d82a45db18106fbc36211b
                                                                                                                                                        • Instruction ID: e0da3d14421b808812d0f2081586d4011dd39c029085a0ee038fa4d8f8c3d428
                                                                                                                                                        • Opcode Fuzzy Hash: 579a0d47d7b3b74873c25842ab4b3e8753cbf2ad09d82a45db18106fbc36211b
                                                                                                                                                        • Instruction Fuzzy Hash: 0E900225621800420146B598060490B0485B7D6361399C415F14169D4CC66189A55321
                                                                                                                                                        Function 014F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5c7c1bf886149e5f8bd07a49267a1eea9a9894b31f367be807e2758d8bca8cbc
                                                                                                                                                        • Instruction ID: 5a6fe7f7d7d2218d9de5fe0758293e3fcfbb23a6eed50d0e73dfcf3978bf892d
                                                                                                                                                        • Opcode Fuzzy Hash: 5c7c1bf886149e5f8bd07a49267a1eea9a9894b31f367be807e2758d8bca8cbc
                                                                                                                                                        • Instruction Fuzzy Hash: 299002A1601940D24501B2988404F0A4545A7E0211B59C416E10549A4CC56589919235
                                                                                                                                                        Function 014F2D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fdbcce71489434a6491ddd3708e188f74c768fef43ddc08bbda97350bd05dde9
                                                                                                                                                        • Instruction ID: 2983fdb47fd9feea7678ce0786779104cb87fe795b788c8c0478aec7be0559bb
                                                                                                                                                        • Opcode Fuzzy Hash: fdbcce71489434a6491ddd3708e188f74c768fef43ddc08bbda97350bd05dde9
                                                                                                                                                        • Instruction Fuzzy Hash: F990022160584482D10175985408E060045A7D0215F59D411A10649D9DC6758991A231
                                                                                                                                                        Function 014F2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: eb16a86476deb38995ca0ba3abd00109ab41d8f590fe12ec5186e7c43c6b03f1
                                                                                                                                                        • Instruction ID: 3263676cbb652afefe6c1d024d29a8f700b69f3678942a0c627c5845464ff987
                                                                                                                                                        • Opcode Fuzzy Hash: eb16a86476deb38995ca0ba3abd00109ab41d8f590fe12ec5186e7c43c6b03f1
                                                                                                                                                        • Instruction Fuzzy Hash: 1490023164180442D14271984404A060049B7D0251F99C412A0424998EC6958B96AB61
                                                                                                                                                        Function 014F2C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cdf8e9ec94687043cfe4053fae60a64e18d0ecff14e2d1421d8e2036f54cf28f
                                                                                                                                                        • Instruction ID: 1cd6d0d0fb2ac24820ea6cd77663976be186b7b131fbc62fba79c2a6e3430509
                                                                                                                                                        • Opcode Fuzzy Hash: cdf8e9ec94687043cfe4053fae60a64e18d0ecff14e2d1421d8e2036f54cf28f
                                                                                                                                                        • Instruction Fuzzy Hash: BE90023160180882D10171984404F460045A7E0311F59C416A0124A98DC655C9917621
                                                                                                                                                        Function 014F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ec2f48b5bd3a429d5384465110f3b0eedd29438e965adf89d878edff1717ce4f
                                                                                                                                                        • Instruction ID: db2a4868ae52197876320b0dfde5be7836d94d7f3fbfb3f156a073126dbb73f6
                                                                                                                                                        • Opcode Fuzzy Hash: ec2f48b5bd3a429d5384465110f3b0eedd29438e965adf89d878edff1717ce4f
                                                                                                                                                        • Instruction Fuzzy Hash: 01900221A0580442D14171985418B060055A7D0211F59D411A0024998DC6998B9567A1
                                                                                                                                                        Function 014F2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b7a94689c7fdc61c13bb3957750b209ad7278daf62c2b2e5c11f75c2a743a93d
                                                                                                                                                        • Instruction ID: a19513ef98ba2aeff9519e0d6b81cd62cdd0ae0fb62b13148596fbd106a9a99d
                                                                                                                                                        • Opcode Fuzzy Hash: b7a94689c7fdc61c13bb3957750b209ad7278daf62c2b2e5c11f75c2a743a93d
                                                                                                                                                        • Instruction Fuzzy Hash: CE90023160180443D10171985508B070045A7D0211F59D811A042499CDD69689916221
                                                                                                                                                        Function 014F2F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ff2e2e13e011ae51d812558d27c4b32f473310843cdb17c8dac27189ee0fab26
                                                                                                                                                        • Instruction ID: bc09ee9ec79343ae867c43b88348c4c75875a677b6a6e06942b7ce3e1fecf7bc
                                                                                                                                                        • Opcode Fuzzy Hash: ff2e2e13e011ae51d812558d27c4b32f473310843cdb17c8dac27189ee0fab26
                                                                                                                                                        • Instruction Fuzzy Hash: 3790026161180082D10571984404B060085A7E1211F59C412A2154998CC5698DA15225
                                                                                                                                                        Function 014F2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e220690c38555ec95755d6a7417082c4030c15f412ebb94765bb096ae585a171
                                                                                                                                                        • Instruction ID: 2f1f241384e9911471bfe7e347d9673f1544a4148979b7de212be637eb8f8978
                                                                                                                                                        • Opcode Fuzzy Hash: e220690c38555ec95755d6a7417082c4030c15f412ebb94765bb096ae585a171
                                                                                                                                                        • Instruction Fuzzy Hash: 2D900231601C0442D10171984808B470045A7D0312F59C411A5164999EC6A5C9D16631
                                                                                                                                                        Function 014F2E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e6bcb08eba592a800384ea9ea9318260b01d813eabc40b1bb4b4111a89685b2a
                                                                                                                                                        • Instruction ID: 31cf1192c2297f16d140c9654cb8653a0cedb80ff5ddbe287452ee176b69720f
                                                                                                                                                        • Opcode Fuzzy Hash: e6bcb08eba592a800384ea9ea9318260b01d813eabc40b1bb4b4111a89685b2a
                                                                                                                                                        • Instruction Fuzzy Hash: CD90022170180442D10371984414A060049E7D1355F99C412E1424999DC6658A93A232
                                                                                                                                                        Function 014F2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 68ff36f7c4cfb43cec092ff8c3554c0e0ac7689c10b7add11439acd89cd86c43
                                                                                                                                                        • Instruction ID: fc9b1edb4dced70954e85db28c12b55880a397aaf4b08002f7d456b8937539f2
                                                                                                                                                        • Opcode Fuzzy Hash: 68ff36f7c4cfb43cec092ff8c3554c0e0ac7689c10b7add11439acd89cd86c43
                                                                                                                                                        • Instruction Fuzzy Hash: 45900261601C0443D14175984804A070045A7D0312F59C411A2064999ECA698D916235
                                                                                                                                                        Function 014F3010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 835633eb8e3c905e7cd6b103bff874252c1ec442b8d7994bd80cb6ba861e34d9
                                                                                                                                                        • Instruction ID: b57f3e80525cfdb8a71f4ff340b8c4fe7a71e99daa9d0ad656378f1dd9dc9fbb
                                                                                                                                                        • Opcode Fuzzy Hash: 835633eb8e3c905e7cd6b103bff874252c1ec442b8d7994bd80cb6ba861e34d9
                                                                                                                                                        • Instruction Fuzzy Hash: E1900221601C4482D14172984804F0F4145A7E1212F99C419A4156998CC95589955721
                                                                                                                                                        Function 014F3090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4737b2897b9898c57e05fd76c7a8300e321e381ca90e1c94f45704a28693b8d6
                                                                                                                                                        • Instruction ID: c53481cec8f3d83c4cc39c4fa858dfd2612853bf2ff2bd1f648bea9451773198
                                                                                                                                                        • Opcode Fuzzy Hash: 4737b2897b9898c57e05fd76c7a8300e321e381ca90e1c94f45704a28693b8d6
                                                                                                                                                        • Instruction Fuzzy Hash: 2C90022164180842D14171988414B070046E7D0611F59C411A0024998DC6568AA567B1
                                                                                                                                                        Function 014F35C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b83c988a2980b3ed637095052300fb9f8057a7bf092e520abc52ddd553c41f20
                                                                                                                                                        • Instruction ID: 1faeec559c12745f30956bb5caf7ea1cb7e69fe82825fa3670acc4ce0d3a3985
                                                                                                                                                        • Opcode Fuzzy Hash: b83c988a2980b3ed637095052300fb9f8057a7bf092e520abc52ddd553c41f20
                                                                                                                                                        • Instruction Fuzzy Hash: 09900231A0590442D10171984514B061045A7D0211F69C811A04249ACDC7D58A9166A2
                                                                                                                                                        Function 014F39B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8f1be3a955ca1fd3173cf8ab1a812ce8835a41a27e57bae2745946f360caf0cc
                                                                                                                                                        • Instruction ID: 3bb6ec5545276ae7bdab98b09c3dbf42d9e78258de08874dac8966c940bfc4d3
                                                                                                                                                        • Opcode Fuzzy Hash: 8f1be3a955ca1fd3173cf8ab1a812ce8835a41a27e57bae2745946f360caf0cc
                                                                                                                                                        • Instruction Fuzzy Hash: 9190022164585142D151719C4404A164045B7E0211F59C421A08149D8DC59589956321
                                                                                                                                                        Function 014F3D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 73e31e18142d9e8256e529cfce73989cd9624c10fb1c8549fd771cd9836d5981
                                                                                                                                                        • Instruction ID: 91f19905c28d406522afb9f501e70c97b6b8810d4037aa574b7daaccbcd3db88
                                                                                                                                                        • Opcode Fuzzy Hash: 73e31e18142d9e8256e529cfce73989cd9624c10fb1c8549fd771cd9836d5981
                                                                                                                                                        • Instruction Fuzzy Hash: FF90023560180442D51171985804A460086A7D0311F59D811A042499CDC69489E1A221
                                                                                                                                                        Function 014F3D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 187cc0db8c45f4859ec37d58be17dc050993906c4e2fb4fabb13c72a70c40817
                                                                                                                                                        • Instruction ID: e5821aedf65fee8c9afb0befb037f506d7266fb707ec6695011f69e9bff85ed2
                                                                                                                                                        • Opcode Fuzzy Hash: 187cc0db8c45f4859ec37d58be17dc050993906c4e2fb4fabb13c72a70c40817
                                                                                                                                                        • Instruction Fuzzy Hash: 8190023160280182954172985804E4E4145A7E1312B99D815A0015998CC95489A15321
                                                                                                                                                        Function 014F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                        • Instruction ID: 34f0b348e126488d994b67bc5b3da795d643cc88cece7f49ebb3fccfbcc69ea9
                                                                                                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                        Function 0158A670 Relevance: 12.3, APIs: 8, Instructions: 285timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 0e2ac664f40853b768a09033026406a6aa99a35fa9b822ecf980a7145c05f42b
                                                                                                                                                        • Instruction ID: ba55af19fff93c07019ff1c16945d931e192674228bc9edf6563cd4d649cc134
                                                                                                                                                        • Opcode Fuzzy Hash: 0e2ac664f40853b768a09033026406a6aa99a35fa9b822ecf980a7145c05f42b
                                                                                                                                                        • Instruction Fuzzy Hash: EEA1A0756143118FD715EE18C890A2ABBE5FF88310F09496EEA46EF311E770EC05CBA1
                                                                                                                                                        Function 01586940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                        • Instruction ID: 0922ccd656dc97d6c4567f2a1a59c87ce9bf44ccdba1798cec67eccd703b2f3a
                                                                                                                                                        • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                        • Instruction Fuzzy Hash: 2D022571508342AFD305EF19C490A6FBBE5FFC8704F14892DBA996B260DB31E905CB52
                                                                                                                                                        Function 014F2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 48624451-0
                                                                                                                                                        • Opcode ID: 8cb58ae36c389fda112de1c0487296c242cb0f93eb284a1f645ef3aa1a92005d
                                                                                                                                                        • Instruction ID: d3c2ba5a77a40be6948851ecfdb94f2dc33f835cc05b00b1a033a1f58e3157fa
                                                                                                                                                        • Opcode Fuzzy Hash: 8cb58ae36c389fda112de1c0487296c242cb0f93eb284a1f645ef3aa1a92005d
                                                                                                                                                        • Instruction Fuzzy Hash: 3E51D6B6B00156AFCB11DF9C8890D7FFBB8BB49240B54822EE565DB791D374DE408BA0
                                                                                                                                                        Function 01562410 Relevance: 9.2, APIs: 6, Instructions: 189COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 48624451-0
                                                                                                                                                        • Opcode ID: 0dd145f8515c7e12a991bf6fb77c7ab9ad949f69e057ae335856cc40b1f0be0d
                                                                                                                                                        • Instruction ID: af9735f252f40c18883910cc00d831516e083ed05fb6a3eb18779a9a4b370e81
                                                                                                                                                        • Opcode Fuzzy Hash: 0dd145f8515c7e12a991bf6fb77c7ab9ad949f69e057ae335856cc40b1f0be0d
                                                                                                                                                        • Instruction Fuzzy Hash: C251F775A00646AECB31DE9DC89097EBBFCFB54201F44885AE4D6CF681E674DA40C7A0
                                                                                                                                                        Function 014CA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 015179D0, 015179F5
                                                                                                                                                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 015179D5
                                                                                                                                                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 015179FA
                                                                                                                                                        • SsHd, xrefs: 014CA3E4
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                                                                                                        • API String ID: 0-929470617
                                                                                                                                                        • Opcode ID: 96bfa78a8ac3221db4e77d33581acb618155a6ed4d6951b150714e97ffefb9a1
                                                                                                                                                        • Instruction ID: f1f07e2c3c3ffc2a9796744dc474cb4772aeed948e487a2305cd20f8cde47cbd
                                                                                                                                                        • Opcode Fuzzy Hash: 96bfa78a8ac3221db4e77d33581acb618155a6ed4d6951b150714e97ffefb9a1
                                                                                                                                                        • Instruction Fuzzy Hash: 63E126356043058FE765CE2CC494B2BBBE1BB88714F244A2EE995CB3A1E731D985CB41
                                                                                                                                                        Function 014CD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 01519341, 01519366
                                                                                                                                                        • GsHd, xrefs: 014CD874
                                                                                                                                                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01519346
                                                                                                                                                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0151936B
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                                                                                                        • API String ID: 3446177414-576511823
                                                                                                                                                        • Opcode ID: 61adbdaf21053902e349c303a668416dc9306c8a2e51c82477b2b8b68cf238d8
                                                                                                                                                        • Instruction ID: 863a71737f0d71be31149234d470318f7eb6c646f857300883b51d652a8cd0c5
                                                                                                                                                        • Opcode Fuzzy Hash: 61adbdaf21053902e349c303a668416dc9306c8a2e51c82477b2b8b68cf238d8
                                                                                                                                                        • Instruction Fuzzy Hash: 22E1F878A043428FE751CF58C490B6BBBE5BF88718F04493EE9958B391D770D844CB92
                                                                                                                                                        Function 014FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: __aulldvrm
                                                                                                                                                        • String ID: +$-$0$0
                                                                                                                                                        • API String ID: 1302938615-699404926
                                                                                                                                                        • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                        • Instruction ID: fefcd66e304a1b4c5ba07b7cfc612c00415cfdd2527ea9bcc3fc1974a3f87018
                                                                                                                                                        • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                        • Instruction Fuzzy Hash: BE81AF70E052499EEF258E6CC8917FFBBB2EF86360F18411FDA55A73B1C63498418B52
                                                                                                                                                        Function 014B9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: $$@
                                                                                                                                                        • API String ID: 3446177414-1194432280
                                                                                                                                                        • Opcode ID: 5b90d68b264caf28eebc06ef576c7549b6f99290ea4b168d182155c963b66732
                                                                                                                                                        • Instruction ID: ce1693a603c99e9a5c578ed15ee3ebfb3e88d04b99bccb7918cd1e471104fe19
                                                                                                                                                        • Opcode Fuzzy Hash: 5b90d68b264caf28eebc06ef576c7549b6f99290ea4b168d182155c963b66732
                                                                                                                                                        • Instruction Fuzzy Hash: CF812B71D002699BEB35CB54CC44BEEB6B4AF08714F1445DAEA19BB290D7309E84DFA0
                                                                                                                                                        Function 014DDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                                                                                                        • API String ID: 3446177414-56086060
                                                                                                                                                        • Opcode ID: 891756bdd9d007df7fece58e94c6fcbd2a8842bd2a454891d9c25d2f78611c7b
                                                                                                                                                        • Instruction ID: 329c9d03f5772639575893f7c67068904b0bea79f949f071084f974f1ec7120d
                                                                                                                                                        • Opcode Fuzzy Hash: 891756bdd9d007df7fece58e94c6fcbd2a8842bd2a454891d9c25d2f78611c7b
                                                                                                                                                        • Instruction Fuzzy Hash: 88414671A00341DFEB22EF68C4A5B6EB7A4FF51728F14456FD4424B3A1C774A889C790
                                                                                                                                                        Function 014DDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                                                                                                        • API String ID: 3446177414-3526935505
                                                                                                                                                        • Opcode ID: f1f4958dd9c2cf3ff7db2af1a16e610f9b3800afa0e59295eb5d1a9bf271fe58
                                                                                                                                                        • Instruction ID: ed2c4b61ea1f987572c92327dcbe0f55b829153e97d7f8c933e759b0524a3ea2
                                                                                                                                                        • Opcode Fuzzy Hash: f1f4958dd9c2cf3ff7db2af1a16e610f9b3800afa0e59295eb5d1a9bf271fe58
                                                                                                                                                        • Instruction Fuzzy Hash: 01312B30604780DFEB23A76CC415B6A7BE4FB11B10F15405BE8518B6B2C7B4A485C751
                                                                                                                                                        Function 014AC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: $
                                                                                                                                                        • API String ID: 3446177414-3993045852
                                                                                                                                                        • Opcode ID: cbacd5cfb08d816e53a916ac8758ffbadcfe94597ec8c56a89e95150a8faf88a
                                                                                                                                                        • Instruction ID: dc8f59f18a4eeac8330ab3c15128adc8f7d683785545826d5a02c9507c0e9463
                                                                                                                                                        • Opcode Fuzzy Hash: cbacd5cfb08d816e53a916ac8758ffbadcfe94597ec8c56a89e95150a8faf88a
                                                                                                                                                        • Instruction Fuzzy Hash: 0C115E32904219EBDF16AFE4EC486AC7B71FF44760F108519F8266F2D0CB316A44DB80
                                                                                                                                                        Function 01587CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: f7caeecc5a1ae8b79f530f433e804e37a5b2f22f42dae55e0227bf94f5a54912
                                                                                                                                                        • Instruction ID: 189f86d165ff5a2296caaa37cf5206c16e795ae42c50a3c29e7b0b50490aa6ab
                                                                                                                                                        • Opcode Fuzzy Hash: f7caeecc5a1ae8b79f530f433e804e37a5b2f22f42dae55e0227bf94f5a54912
                                                                                                                                                        • Instruction Fuzzy Hash: C0E15271A0020AEBDF15DFA4C881BEEBBB5FF48314F64852AE515FB290D770AA45CB50
                                                                                                                                                        Function 014DEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 10ee6a127e5d86f751f82e3fe77fd2dc909a1710cee7e4f1ab2871cde4513455
                                                                                                                                                        • Instruction ID: ba68b5e2d73f82cb144d7d28114b9ca415026a838153a98d8a07e1d65e680998
                                                                                                                                                        • Opcode Fuzzy Hash: 10ee6a127e5d86f751f82e3fe77fd2dc909a1710cee7e4f1ab2871cde4513455
                                                                                                                                                        • Instruction Fuzzy Hash: 16E10075D00608DFDF26CFA9C990A9EBBF1BF48304F14456AE556AB361D770A84ACF10
                                                                                                                                                        Function 0152EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: c77bd13f45079206275c551364ecb9d3c58c12b1a86c3e2d4559f5125dd61b43
                                                                                                                                                        • Instruction ID: 62aeaeb88813135a70a127470d3ecbf7ac2519bec5623d461789a9e3e3063a64
                                                                                                                                                        • Opcode Fuzzy Hash: c77bd13f45079206275c551364ecb9d3c58c12b1a86c3e2d4559f5125dd61b43
                                                                                                                                                        • Instruction Fuzzy Hash: 92713672E002299FDF05CFA8D885ADDBBF5BF4A714F14402AE905AF294D734A905CB60
                                                                                                                                                        Function 0158A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: e51691bad55460b53af1c0a2d28f1c71150f272db3c7d66b0313ecceea2ae5ae
                                                                                                                                                        • Instruction ID: b5054fc7f058e1ce0a65ca33e10cd84800baa33300f64350e8c436dfb4e9ae09
                                                                                                                                                        • Opcode Fuzzy Hash: e51691bad55460b53af1c0a2d28f1c71150f272db3c7d66b0313ecceea2ae5ae
                                                                                                                                                        • Instruction Fuzzy Hash: 06517A31B006129FEF18EE19C4A4A29B7F1FB89314B14446EDA06EF714DB74EC81CB90
                                                                                                                                                        Function 0152F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3446177414-0
                                                                                                                                                        • Opcode ID: 1fa15cd8685da45d7f70823024ce9cb1cec45cfe7e1d2153325f2296418ee719
                                                                                                                                                        • Instruction ID: e117bc9cb27206e844ef3c7c02aca4aa1e728c0ac23dec752dd0778dec54e26b
                                                                                                                                                        • Opcode Fuzzy Hash: 1fa15cd8685da45d7f70823024ce9cb1cec45cfe7e1d2153325f2296418ee719
                                                                                                                                                        • Instruction Fuzzy Hash: 96512472E00229AFDF08CF98E845ADDBBF1BF4A314F14802AE915BB290D734A945CF54
                                                                                                                                                        Function 014E7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4281723722-0
                                                                                                                                                        • Opcode ID: cd3e4baaa644bd75fed9a27e365d898ad61c19169cc12881dc6f6c6f81965ae0
                                                                                                                                                        • Instruction ID: 76341c8b044aa11f02837dc43b56da085ab657bd074d9a9f623f469297a76742
                                                                                                                                                        • Opcode Fuzzy Hash: cd3e4baaa644bd75fed9a27e365d898ad61c19169cc12881dc6f6c6f81965ae0
                                                                                                                                                        • Instruction Fuzzy Hash: 16313876E40229AFCF25DFA8D844AADBBF1FB49720F15412AE521BB290D7705D00CF54
                                                                                                                                                        Function 014B59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: @
                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                        • Opcode ID: e1251a661c4a04cab5d5eaff9e167f498504b8563ecdff1a830aa7a488f79d99
                                                                                                                                                        • Instruction ID: d1d839d5e23b9ad5cb0e5bcb02d8ebcccd0159dd85d2e334d3886a96257476d7
                                                                                                                                                        • Opcode Fuzzy Hash: e1251a661c4a04cab5d5eaff9e167f498504b8563ecdff1a830aa7a488f79d99
                                                                                                                                                        • Instruction Fuzzy Hash: 18326D70D0426ADFDB22DF65C884BEDFBB4BB18304F0041EAD549AB251D7745A85CFA0
                                                                                                                                                        Function 014F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: __aulldvrm
                                                                                                                                                        • String ID: +$-
                                                                                                                                                        • API String ID: 1302938615-2137968064
                                                                                                                                                        • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                        • Instruction ID: 5afee909056e5b504eead4e51bd933a585419e806968eb9dc7166c049ac7cd74
                                                                                                                                                        • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                        • Instruction Fuzzy Hash: B3919371E002069AEB24DF6DC890ABFBBA5EF44322F54451FEB55A73E0D73899418721
                                                                                                                                                        Function 01588927 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • RtlDebugPrintTimes.NTDLL ref: 01588B03
                                                                                                                                                        • RtlDebugPrintTimes.NTDLL ref: 01588B5B
                                                                                                                                                          • Part of subcall function 014F2B60: LdrInitializeThunk.NTDLL ref: 014F2B6A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes$InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1259822791-3916222277
                                                                                                                                                        • Opcode ID: e3ca88af2c4a9eb520e36cde3d00e9cd6776437d7f059e4642b2a1cb7cdeecbb
                                                                                                                                                        • Instruction ID: cbb3a80b320bdb79331266fe32f2f9342e51a3c71297ccea48506cff38166190
                                                                                                                                                        • Opcode Fuzzy Hash: e3ca88af2c4a9eb520e36cde3d00e9cd6776437d7f059e4642b2a1cb7cdeecbb
                                                                                                                                                        • Instruction Fuzzy Hash: 2561A231A1021D9BDB269F28CC45BEDBBB9FB48710F4441EDA619EA191DB709F84CF50
                                                                                                                                                        Function 014E4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 0$Flst
                                                                                                                                                        • API String ID: 0-758220159
                                                                                                                                                        • Opcode ID: e0a21e5995f2a1988145dde6369a45ee9fd15a70627413c85bc9fe5313e28ca8
                                                                                                                                                        • Instruction ID: 1845b7863c5aff4fde502a618730f8be2cce3bf89067a28199941f50c5eca581
                                                                                                                                                        • Opcode Fuzzy Hash: e0a21e5995f2a1988145dde6369a45ee9fd15a70627413c85bc9fe5313e28ca8
                                                                                                                                                        • Instruction Fuzzy Hash: 37517BB2E002148BDF26CF99D488A6EFBF5FF44715F19802AD049DF2A1E7759946CB80
                                                                                                                                                        Function 014DD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • RtlDebugPrintTimes.NTDLL ref: 014DD959
                                                                                                                                                          • Part of subcall function 014B4859: RtlDebugPrintTimes.NTDLL ref: 014B48F7
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: $$$
                                                                                                                                                        • API String ID: 3446177414-233714265
                                                                                                                                                        • Opcode ID: 19a2d43595182ddf685144141589891b356bdd7c8427177521407ce1d20641fe
                                                                                                                                                        • Instruction ID: 0481b7621cf69b980c96e5485794e2fae072eba26b5876a377c412c47db636a6
                                                                                                                                                        • Opcode Fuzzy Hash: 19a2d43595182ddf685144141589891b356bdd7c8427177521407ce1d20641fe
                                                                                                                                                        • Instruction Fuzzy Hash: DE513331E003469FDF22DFA8C495B9EBBB2BF54304F65405ED4256B2E5D770A94ACB80
                                                                                                                                                        Function 0152FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: $
                                                                                                                                                        • API String ID: 3446177414-3993045852
                                                                                                                                                        • Opcode ID: 4a7073bc0c7ec53c436de1005394410e422b92fb14791c66fdd7f9878fafa10c
                                                                                                                                                        • Instruction ID: a208d1d670973672e20e6570354bb8506fd6426899e26c5fd1ef3775f3be3e45
                                                                                                                                                        • Opcode Fuzzy Hash: 4a7073bc0c7ec53c436de1005394410e422b92fb14791c66fdd7f9878fafa10c
                                                                                                                                                        • Instruction Fuzzy Hash: 7441B2B6A00219AFDF12DF99E880AEEBFB5FF49704F14011AE900AB391C7709D10DB90
                                                                                                                                                        Function 014ADF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DebugPrintTimes
                                                                                                                                                        • String ID: 0$0
                                                                                                                                                        • API String ID: 3446177414-203156872
                                                                                                                                                        • Opcode ID: ea16033407f27e7057123d3ce96c7ff6cdddd5cc7a4d6247e87e06161ac222df
                                                                                                                                                        • Instruction ID: d0b18454010c676e9823d7ed613edfdca947db82008aec834632b89d52d2aa17
                                                                                                                                                        • Opcode Fuzzy Hash: ea16033407f27e7057123d3ce96c7ff6cdddd5cc7a4d6247e87e06161ac222df
                                                                                                                                                        • Instruction Fuzzy Hash: 8E417CB1A087069FC311CF68C484A1BBBE4BB98314F45492EF588DB351D771E905CB96
                                                                                                                                                        Function 015620E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000006.00000002.1776625190.0000000001542000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001480000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001487000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000014A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.0000000001506000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.00000000015AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        • Associated: 00000006.00000002.1776625190.000000000161E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_6_2_1480000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                        • String ID: [
                                                                                                                                                        • API String ID: 48624451-784033777
                                                                                                                                                        • Opcode ID: 766493f858d674b2b55b935574e4fa89cf6c008a36a4fdcc06852e54be71eecb
                                                                                                                                                        • Instruction ID: 3e91e9185f2bd7425d7e93a3a08fd708a0434c2885941d488464c6491e7e6d09
                                                                                                                                                        • Opcode Fuzzy Hash: 766493f858d674b2b55b935574e4fa89cf6c008a36a4fdcc06852e54be71eecb
                                                                                                                                                        • Instruction Fuzzy Hash: D121317AE0011AEBDB11DF69D850AEEBBECBF54654F45011AEA05E7240EB30DA058BE1

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:1%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                        Total number of Nodes:69
                                                                                                                                                        Total number of Limit Nodes:7
                                                                                                                                                        execution_graph 20211 e695bac 20213 e695bb1 20211->20213 20212 e695bb6 20213->20212 20246 e68bb72 20213->20246 20215 e695c2c 20215->20212 20216 e695c85 20215->20216 20218 e695c69 20215->20218 20219 e695c54 20215->20219 20260 e693ab2 NtProtectVirtualMemory 20216->20260 20222 e695c6e 20218->20222 20223 e695c80 20218->20223 20256 e693ab2 NtProtectVirtualMemory 20219->20256 20220 e695c8d 20261 e68d102 ObtainUserAgentString NtProtectVirtualMemory 20220->20261 20258 e693ab2 NtProtectVirtualMemory 20222->20258 20223->20216 20227 e695c97 20223->20227 20225 e695c5c 20257 e68cee2 ObtainUserAgentString NtProtectVirtualMemory 20225->20257 20228 e695c9c 20227->20228 20229 e695cbe 20227->20229 20250 e693ab2 NtProtectVirtualMemory 20228->20250 20229->20212 20233 e695cd9 20229->20233 20234 e695cc7 20229->20234 20231 e695c76 20259 e68cfc2 ObtainUserAgentString NtProtectVirtualMemory 20231->20259 20233->20212 20264 e693ab2 NtProtectVirtualMemory 20233->20264 20262 e693ab2 NtProtectVirtualMemory 20234->20262 20237 e695ccf 20263 e68d2f2 ObtainUserAgentString NtProtectVirtualMemory 20237->20263 20239 e695cac 20251 e68cde2 ObtainUserAgentString 20239->20251 20241 e695ce5 20265 e68d712 ObtainUserAgentString NtProtectVirtualMemory 20241->20265 20244 e695cb4 20252 e689412 20244->20252 20247 e68bb93 20246->20247 20248 e68bcb5 CreateMutexExW 20247->20248 20249 e68bcce 20247->20249 20248->20249 20249->20215 20250->20239 20251->20244 20254 e689440 20252->20254 20253 e689473 20253->20212 20254->20253 20255 e68944d CreateThread 20254->20255 20255->20212 20256->20225 20257->20212 20258->20231 20259->20212 20260->20220 20261->20212 20262->20237 20263->20212 20264->20241 20265->20212 20266 e6892dd 20270 e68931a 20266->20270 20267 e6893fa 20268 e689328 SleepEx 20268->20268 20268->20270 20270->20267 20270->20268 20273 e693f12 socket NtCreateFile getaddrinfo 20270->20273 20274 e68a432 NtCreateFile 20270->20274 20275 e6890f2 socket getaddrinfo 20270->20275 20273->20270 20274->20270 20275->20270 20276 e68f8c2 20277 e68f934 20276->20277 20278 e68f9a6 20277->20278 20279 e68f995 ObtainUserAgentString 20277->20279 20279->20278 20280 e694f82 20281 e694fb8 20280->20281 20283 e695081 20281->20283 20285 e695022 20281->20285 20286 e6915b2 20281->20286 20284 e695117 getaddrinfo 20283->20284 20283->20285 20284->20285 20287 e69160a socket 20286->20287 20288 e6915ec 20286->20288 20287->20283 20288->20287 20289 e695e12 20290 e695e45 NtProtectVirtualMemory 20289->20290 20293 e694942 20289->20293 20292 e695e70 20290->20292 20294 e694967 20293->20294 20294->20290 20295 e694232 20296 e69425c 20295->20296 20298 e694334 20295->20298 20297 e694410 NtCreateFile 20296->20297 20296->20298 20297->20298

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 0E694232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 295 e694232-e694256 296 e6948bd-e6948cd 295->296 297 e69425c-e694260 295->297 297->296 298 e694266-e6942a0 297->298 299 e6942bf 298->299 300 e6942a2-e6942a6 298->300 302 e6942c6 299->302 300->299 301 e6942a8-e6942ac 300->301 303 e6942ae-e6942b2 301->303 304 e6942b4-e6942b8 301->304 305 e6942cb-e6942cf 302->305 303->302 304->305 306 e6942ba-e6942bd 304->306 307 e6942f9-e69430b 305->307 308 e6942d1-e6942f7 call e694942 305->308 306->305 312 e694378 307->312 313 e69430d-e694332 307->313 308->307 308->312 316 e69437a-e6943a0 312->316 314 e6943a1-e6943a8 313->314 315 e694334-e69433b 313->315 319 e6943aa-e6943d3 call e694942 314->319 320 e6943d5-e6943dc 314->320 317 e69433d-e694360 call e694942 315->317 318 e694366-e694370 315->318 317->318 318->312 325 e694372-e694373 318->325 319->312 319->320 322 e6943de-e69440a call e694942 320->322 323 e694410-e694458 NtCreateFile call e694172 320->323 322->312 322->323 331 e69445d-e69445f 323->331 325->312 331->312 332 e694465-e69446d 331->332 332->312 333 e694473-e694476 332->333 334 e694478-e694481 333->334 335 e694486-e69448d 333->335 334->316 336 e69448f-e6944b8 call e694942 335->336 337 e6944c2-e6944ec 335->337 336->312 342 e6944be-e6944bf 336->342 343 e6948ae-e6948b8 337->343 344 e6944f2-e6944f5 337->344 342->337 343->312 345 e6944fb-e6944fe 344->345 346 e694604-e694611 344->346 347 e69455e-e694561 345->347 348 e694500-e694507 345->348 346->316 353 e694567-e694572 347->353 354 e694616-e694619 347->354 350 e694509-e694532 call e694942 348->350 351 e694538-e694559 348->351 350->312 350->351 358 e6945e9-e6945fa 351->358 359 e6945a3-e6945a6 353->359 360 e694574-e69459d call e694942 353->360 356 e6946b8-e6946bb 354->356 357 e69461f-e694626 354->357 363 e694739-e69473c 356->363 364 e6946bd-e6946c4 356->364 366 e694628-e694651 call e694942 357->366 367 e694657-e69466b call e695e92 357->367 358->346 359->312 362 e6945ac-e6945b6 359->362 360->312 360->359 362->312 372 e6945bc-e6945e6 362->372 368 e694742-e694749 363->368 369 e6947c4-e6947c7 363->369 373 e6946f5-e694734 364->373 374 e6946c6-e6946ef call e694942 364->374 366->312 366->367 367->312 383 e694671-e6946b3 367->383 376 e69474b-e694774 call e694942 368->376 377 e69477a-e6947bf 368->377 369->312 379 e6947cd-e6947d4 369->379 372->358 393 e694894-e6948a9 373->393 374->343 374->373 376->343 376->377 377->393 384 e6947fc-e694803 379->384 385 e6947d6-e6947f6 call e694942 379->385 383->316 391 e69482b-e694835 384->391 392 e694805-e694825 call e694942 384->392 385->384 391->343 394 e694837-e69483e 391->394 392->391 393->316 394->343 398 e694840-e694886 394->398 398->393
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                        • String ID: `
                                                                                                                                                        • API String ID: 823142352-2679148245
                                                                                                                                                        • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                        • Instruction ID: 04cf68427a44a964bf0527285f26f0ab7a39d96d371e1baf4afcb77dea8e150d
                                                                                                                                                        • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                        • Instruction Fuzzy Hash: 0A225B70A28A099FCB59DF28D4946AEF7E5FB98301F40462ED46ED3250DF30E852DB81
                                                                                                                                                        Function 0E695E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 434 e695e12-e695e38 435 e695e45-e695e6e NtProtectVirtualMemory 434->435 436 e695e40 call e694942 434->436 437 e695e7d-e695e8f 435->437 438 e695e70-e695e7c 435->438 436->435
                                                                                                                                                        APIs
                                                                                                                                                        • NtProtectVirtualMemory.NTDLL ref: 0E695E67
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                                        • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                        • Instruction ID: 95042c61b18ed729fc7344179e66d01f916ac448ca419cc18df375abadc385ce
                                                                                                                                                        • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                        • Instruction Fuzzy Hash: 51019230628B484F8B84EF6CE480126B7E4FBC9354F000B3EE5AAC3250EB60C5414742
                                                                                                                                                        Function 0E695E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 439 e695e0a-e695e6e call e694942 NtProtectVirtualMemory 442 e695e7d-e695e8f 439->442 443 e695e70-e695e7c 439->443
                                                                                                                                                        APIs
                                                                                                                                                        • NtProtectVirtualMemory.NTDLL ref: 0E695E67
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                                        • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                        • Instruction ID: 28e058de65fc73d59d89da6e78de5aa71da38c7b4066dadcb641df8280cc0044
                                                                                                                                                        • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                        • Instruction Fuzzy Hash: 8D01A734628B884B8B44EB3C94412A6B3E5FBCE314F000B3EE59AC3241DB21D5024782
                                                                                                                                                        Function 0E694F82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 0 e694f82-e694fb6 1 e694fb8-e694fbc 0->1 2 e694fd6-e694fd9 0->2 1->2 5 e694fbe-e694fc2 1->5 3 e694fdf-e694fed 2->3 4 e6958fe-e69590c 2->4 7 e694ff3-e694ff7 3->7 8 e6958f6-e6958f7 3->8 5->2 6 e694fc4-e694fc8 5->6 6->2 9 e694fca-e694fce 6->9 10 e694ff9-e694ffd 7->10 11 e694fff-e695000 7->11 8->4 9->2 12 e694fd0-e694fd4 9->12 10->11 13 e69500a-e695010 10->13 11->13 12->2 12->3 14 e69503a-e695060 13->14 15 e695012-e695020 13->15 17 e695068-e69507c call e6915b2 14->17 18 e695062-e695066 14->18 15->14 16 e695022-e695026 15->16 16->8 19 e69502c-e695035 16->19 22 e695081-e6950a2 17->22 18->17 20 e6950a8-e6950ab 18->20 19->8 23 e6950b1-e6950b8 20->23 24 e695144-e695150 20->24 22->20 25 e6958ee-e6958ef 22->25 26 e6950ba-e6950dc call e694942 23->26 27 e6950e2-e6950f5 23->27 24->25 28 e695156-e695165 24->28 25->8 26->27 27->25 30 e6950fb-e695101 27->30 31 e69517f-e69518f 28->31 32 e695167-e695178 call e691552 28->32 30->25 36 e695107-e695109 30->36 33 e695191-e6951da call e691732 31->33 34 e6951e5-e69521b 31->34 32->31 33->34 49 e6951dc-e6951e1 33->49 40 e69522d-e695231 34->40 41 e69521d-e69522b 34->41 36->25 42 e69510f-e695111 36->42 45 e695233-e695245 40->45 46 e695247-e69524b 40->46 44 e69527f-e695280 41->44 42->25 47 e695117-e695132 getaddrinfo 42->47 48 e695283-e6952e0 call e695d62 call e692482 call e691e72 call e696002 44->48 45->44 50 e69524d-e69525f 46->50 51 e695261-e695265 46->51 47->24 52 e695134-e69513c 47->52 63 e6952e2-e6952e6 48->63 64 e6952f4-e695354 call e695d92 48->64 49->34 50->44 54 e69526d-e695279 51->54 55 e695267-e69526b 51->55 52->24 54->44 55->48 55->54 63->64 65 e6952e8-e6952ef call e692042 63->65 69 e69535a-e695396 call e695d62 call e696262 call e696002 64->69 70 e69548c-e6954b8 call e695d62 call e696262 64->70 65->64 85 e695398-e6953b7 call e696262 call e696002 69->85 86 e6953bb-e6953e9 call e696262 * 2 69->86 79 e6954d9-e695590 call e696262 * 3 call e696002 * 2 call e692482 70->79 80 e6954ba-e6954d5 70->80 111 e695595-e6955b9 call e696262 79->111 80->79 85->86 100 e6953eb-e695410 call e696002 call e696262 86->100 101 e695415-e69541d 86->101 100->101 104 e69541f-e695425 101->104 105 e695442-e695448 101->105 108 e695467-e695487 call e696262 104->108 109 e695427-e69543d 104->109 110 e69544e-e695456 105->110 105->111 108->111 109->111 110->111 115 e69545c-e69545d 110->115 121 e6955bb-e6955cc call e696262 call e696002 111->121 122 e6955d1-e6956ad call e696262 * 7 call e696002 call e695d62 call e696002 call e691e72 call e692042 111->122 115->108 133 e6956af-e6956b3 121->133 122->133 135 e6956ff-e69572d call e6916b2 133->135 136 e6956b5-e6956fa call e691382 call e6917b2 133->136 145 e69575d-e695761 135->145 146 e69572f-e695735 135->146 157 e6958e6-e6958e7 136->157 147 e69590d-e695913 145->147 148 e695767-e69576b 145->148 146->145 151 e695737-e69574c 146->151 152 e695779-e695784 147->152 153 e695919-e695920 147->153 154 e6958aa-e6958df call e6917b2 148->154 155 e695771-e695773 148->155 151->145 158 e69574e-e695754 151->158 160 e695786-e695793 152->160 161 e695795-e695796 152->161 153->160 154->157 155->152 155->154 157->25 158->145 159 e695756 158->159 159->145 160->161 164 e69579c-e6957a0 160->164 161->164 167 e6957b1-e6957b2 164->167 168 e6957a2-e6957af 164->168 170 e6957b8-e6957c4 167->170 168->167 168->170 173 e6957f4-e695861 170->173 174 e6957c6-e6957ef call e695d92 call e695d62 170->174 185 e6958a3-e6958a4 173->185 186 e695863 173->186 174->173 185->154 186->185 188 e695865-e69586a 186->188 188->185 190 e69586c-e695872 188->190 190->185 192 e695874-e6958a1 190->192 192->185 192->186
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: getaddrinfo
                                                                                                                                                        • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                        • API String ID: 300660673-1117930895
                                                                                                                                                        • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                        • Instruction ID: e3b28194ecf0262252d897188df2a49c7a009b154c805941b768168a71bcc11d
                                                                                                                                                        • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                        • Instruction Fuzzy Hash: 9F52C130614B088FCB29EF68E4947E9B7E5FB55300F504A2EC49FC7246DE30A94ADB95
                                                                                                                                                        Function 0E68F8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • ObtainUserAgentString.URLMON ref: 0E68F9A0
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AgentObtainStringUser
                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                        • API String ID: 2681117516-319646191
                                                                                                                                                        • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                        • Instruction ID: 1131c8f385966dd3546a43241791c3507ce796651aa27f634ca8e2dedf3a3efe
                                                                                                                                                        • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                        • Instruction Fuzzy Hash: B931DD31614A1C8BCF05EFA8D8887EEBBE5FB58304F40062ED45ED7240DE788A49C799
                                                                                                                                                        Function 0E68F8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • ObtainUserAgentString.URLMON ref: 0E68F9A0
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AgentObtainStringUser
                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                        • API String ID: 2681117516-319646191
                                                                                                                                                        • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                        • Instruction ID: 76c31cbc071362f85516f163c6f191acea83df28adc9a5309a65e1a3abc707e4
                                                                                                                                                        • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                        • Instruction Fuzzy Hash: 8B21CE31A10A1C8BCF05EFA8D8847EDBBE5FF58304F40462ED45AD7240DE748A49CB99
                                                                                                                                                        Function 0E68BB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 234 e68bb66-e68bb68 235 e68bb6a-e68bb6b 234->235 236 e68bb93-e68bbb8 234->236 237 e68bb6d-e68bb71 235->237 238 e68bbbe-e68bc22 call e692612 call e694942 * 2 235->238 239 e68bbbb-e68bbbc 236->239 237->239 240 e68bb73-e68bb92 237->240 248 e68bc28-e68bc2b 238->248 249 e68bcdc 238->249 239->238 240->236 248->249 250 e68bc31-e68bcb0 call e696da4 call e696022 call e6963e2 call e696022 call e6963e2 248->250 251 e68bcde-e68bcf6 249->251 263 e68bcb5-e68bcca CreateMutexExW 250->263 264 e68bcce-e68bcd3 263->264 264->249 265 e68bcd5-e68bcda 264->265 265->251
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                        • String ID: .dll$el32$kern
                                                                                                                                                        • API String ID: 1964310414-1222553051
                                                                                                                                                        • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                        • Instruction ID: 53d414d055b6213f5f456b9f3b2b341955bdd67f2e3f6d99888b467e2cd32205
                                                                                                                                                        • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                        • Instruction Fuzzy Hash: 21414974918A088FDF54EFA8D8D47AD77E4FBA8300F04466AC84ADB255DE309946CB85
                                                                                                                                                        Function 0E68BB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                        • String ID: .dll$el32$kern
                                                                                                                                                        • API String ID: 1964310414-1222553051
                                                                                                                                                        • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                        • Instruction ID: 4fd55490e1325c36c7ea680bc4e25c1e40b28ad1cdfc6627d3395403cee3e39e
                                                                                                                                                        • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                        • Instruction Fuzzy Hash: 1C413774918A088FDF94EFA8D8D8BAD77E4FF68300F04456AC84EDB255DE309946CB85
                                                                                                                                                        Function 0E6915B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 403 e6915b2-e6915ea 404 e69160a-e69162b socket 403->404 405 e6915ec-e691604 call e694942 403->405 405->404
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: socket
                                                                                                                                                        • String ID: sock
                                                                                                                                                        • API String ID: 98920635-2415254727
                                                                                                                                                        • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                        • Instruction ID: 5324f47303662aa72c2bb2ce36c9de2353afd3a9244f20f552e6026d80bc3d60
                                                                                                                                                        • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                        • Instruction Fuzzy Hash: 0C012C70618A188FCB84EF1CE048B54BBE4FB59354F1545AEE85ECB266C7B0C9818B86
                                                                                                                                                        Function 0E6892DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 408 e6892dd-e689320 call e694942 411 e6893fa-e68940e 408->411 412 e689326 408->412 413 e689328-e689339 SleepEx 412->413 413->413 414 e68933b-e689341 413->414 415 e68934b-e689352 414->415 416 e689343-e689349 414->416 418 e689370-e689376 415->418 419 e689354-e68935a 415->419 416->415 417 e68935c-e68936a call e693f12 416->417 417->418 421 e689378-e68937e 418->421 422 e6893b7-e6893bd 418->422 419->417 419->418 421->422 426 e689380-e68938a 421->426 423 e6893bf-e6893cf call e689e72 422->423 424 e6893d4-e6893db 422->424 423->424 424->413 428 e6893e1-e6893f5 call e6890f2 424->428 426->422 429 e68938c-e6893b1 call e68a432 426->429 428->413 429->422
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Sleep
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                                        • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                        • Instruction ID: d43076d6449c3e4fa13ce2424c33a2081478687a9939e9d16ab0eeb3ea152497
                                                                                                                                                        • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                        • Instruction Fuzzy Hash: F4316A70614B09DFDB64AF69A1882A5B7A0FBA9301F44477EC92ECB246CB749850CFD1
                                                                                                                                                        Function 0E689412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 444 e689412-e689446 call e694942 447 e689448-e689472 call e696c9e CreateThread 444->447 448 e689473-e68947d 444->448
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4161736928.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_e5a0000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                        • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                        • Instruction ID: e27ddef8360bf4f1ad5c0971f6773e49c25e866ac337daf55dc4137ada2f57c3
                                                                                                                                                        • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                        • Instruction Fuzzy Hash: E1F0C830268A4C4FDB84EB2CE44563AB3D4EBE9214F44463EA54DC3254DA25C9414715

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 0FD3FD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                        • API String ID: 0-393284711
                                                                                                                                                        • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                        • Instruction ID: 9db4ac3bd6926c9c8a4c43b5cf657ec7bdf997851679335905fa3415586d001d
                                                                                                                                                        • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                        • Instruction Fuzzy Hash: CEE15A70518F488FC7A8EF68C4947ABB7E0FB58301F504A2E959BC7246DF34B5418B96
                                                                                                                                                        Function 0FC7AD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                        • API String ID: 0-393284711
                                                                                                                                                        • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                        • Instruction ID: 6a175c174c1750cd32dc9d08ef5ef908227aee462435de2de36212e68b6165b0
                                                                                                                                                        • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                        • Instruction Fuzzy Hash: 50E16A70518F488FCB68EF68C4857ABB7E0FB58304F504A2E959FC7256DF34A5068B89
                                                                                                                                                        Function 0FD42792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                        • API String ID: 0-2916316912
                                                                                                                                                        • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                        • Instruction ID: 4d5853a77e6d57b1772852bcfd401fc13f6ac2980c4c24a693152ac792d87808
                                                                                                                                                        • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                        • Instruction Fuzzy Hash: 59B18A30518B488FDB95EF68C485AEEB7F1FF98300F50451ED49ACB252EF74A8058B96
                                                                                                                                                        Function 0FC7D792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                        • API String ID: 0-2916316912
                                                                                                                                                        • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                        • Instruction ID: c87530f7c06e3516060d6d9b64d91d4924ab0e4e2598f6bab355acaa4282d601
                                                                                                                                                        • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                        • Instruction Fuzzy Hash: E1B19E30518B488EDB58EF68C486AEEB7F1FF98304F50491ED49AC7252EF749509CB85
                                                                                                                                                        Function 0FD40622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                        • API String ID: 0-1539916866
                                                                                                                                                        • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                        • Instruction ID: 252706848077a9ba7797eaba38157acf3a93fd566b89a3181f3f6decd3474fc3
                                                                                                                                                        • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                        • Instruction Fuzzy Hash: 2541B070A18B088FDF54EF88A4497AD7BE2FB48700F40425ED509D3246DBB5AD458BD6
                                                                                                                                                        Function 0FC7B622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                        • API String ID: 0-1539916866
                                                                                                                                                        • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                        • Instruction ID: 9bf8fc44e3f88aac4b94766435508751e03378f325b954e1c09d2ba8a25a1ec1
                                                                                                                                                        • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                        • Instruction Fuzzy Hash: 4541B170A18B08CFDB14DF98A8466BD7BE2FB88700F40025ED409D3256DFB5AD498BD6
                                                                                                                                                        Function 0FD47AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                        • API String ID: 0-355182820
                                                                                                                                                        • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                        • Instruction ID: dbfa923a63db87a93a0e16e883262cc1c61917fe29634c8b05262d6f49fca908
                                                                                                                                                        • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                        • Instruction Fuzzy Hash: 85C16A74218B098FC798EF68C495AEAF3E5FB94304F40472E959AC7201DF34BA15CB96
                                                                                                                                                        Function 0FC82AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                        • API String ID: 0-355182820
                                                                                                                                                        • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                        • Instruction ID: 1681c34364ffc627235f69b20852b5a84e27b3663f034e2395be717b8bde1028
                                                                                                                                                        • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                        • Instruction Fuzzy Hash: 85C16D70218B498FC758FF64C48A6DAF3E1FB94308F40472E959AC7251DF74A61ACB86
                                                                                                                                                        Function 0FD47F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                        • API String ID: 0-97273177
                                                                                                                                                        • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                        • Instruction ID: 20b5a47d848e3dc88f22363af77faee0ad1a202c520970ba1a5d75b5db87d45a
                                                                                                                                                        • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                        • Instruction Fuzzy Hash: 6C51C43111C7488FD759DF18D8816AAB7E5FBC5744F501A2EE8CBC7242DBB4A906CB82
                                                                                                                                                        Function 0FC82F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                        • API String ID: 0-97273177
                                                                                                                                                        • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                        • Instruction ID: 634fcc010869eaf8820c2aac2aaee7ad6e9820e85dbde837811b2438dc3f23a5
                                                                                                                                                        • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                        • Instruction Fuzzy Hash: 4D51C7315187488FD719EF14C4816EAB7E5FBC5704F50192EE8CBC7252DBB4950ACB82
                                                                                                                                                        Function 0FD412F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                        • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                        • Instruction ID: 16782df0fd41aa0e5f511e17b3a120f5d3bbb5178c3f085f9fa11386e1a51b17
                                                                                                                                                        • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                        • Instruction Fuzzy Hash: 25C19C71618B194FC799EF689495AEAF3E5FB98300F844329840EC7252DF34FA41CB96
                                                                                                                                                        Function 0FD412F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                        • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                        • Instruction ID: 61abbf1d30a164e06cc538932508907e4ac23df09a96cffd609981cc5f718c69
                                                                                                                                                        • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                        • Instruction Fuzzy Hash: F0C1AC71618B194FC799EF689495AEAB3E1FB98300F844329840EC7252DF34FA41CB96
                                                                                                                                                        Function 0FC7C2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                        • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                        • Instruction ID: 561a2e501a037ba195c415cf8b875114b0b8a8844d78c2e3bd449433225b9217
                                                                                                                                                        • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                        • Instruction Fuzzy Hash: 7BC1B270618B194FC758FF68D496AEAF3E1FB98304F944329844AC7252DF74E60A8B85
                                                                                                                                                        Function 0FC7C2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                        • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                        • Instruction ID: 5495947411860c49c9aa02b80a4bb247dffc8adbcb0a07f274a38c53392029c2
                                                                                                                                                        • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                        • Instruction Fuzzy Hash: 33C1A170618B194FC758FF68D496AAAF3E1FB98304F94432D844AC7252DF74E60A8B85
                                                                                                                                                        Function 0FD42CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                        • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                        • Instruction ID: ee650568fdb8ac5725f9349f78f668747f57025ee2080c063dcec3ed4bbbca9e
                                                                                                                                                        • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                        • Instruction Fuzzy Hash: 31A1C0706187488BDB59EFA8D4447EEB7E1FF88301F40462DE48AD7242EF74A9458789
                                                                                                                                                        Function 0FC7DCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                        • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                        • Instruction ID: b1a98801cf658dccdc77990a53766352fae920953388c40b7af3fa625f3c96cd
                                                                                                                                                        • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                        • Instruction Fuzzy Hash: 48A1F0706187488FDB18EFA8D445BEEB7E1FF88304F40462DE48AD7242EF74954A8789
                                                                                                                                                        Function 0FD42CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                        • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                        • Instruction ID: f81810016c7a7580e7633052c5fc497db2beb954e024cf016af9260ab2cc04d4
                                                                                                                                                        • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                        • Instruction Fuzzy Hash: 4891A0706187488BDB59EFA8D444BEEB7F1FF98300F40462DE48AD7242EF74A9458789
                                                                                                                                                        Function 0FC7DCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                        • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                        • Instruction ID: 9f4926fa70aef713fa09b016f33f2c9ad7353b25de640843cafe9913544e301b
                                                                                                                                                        • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                        • Instruction Fuzzy Hash: DB91A0706187488FDB19EFA8D445BEEB7E1FF88304F40462EE48AD7242EF74954A8785
                                                                                                                                                        Function 0FD42352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $.$e$n$v
                                                                                                                                                        • API String ID: 0-1849617553
                                                                                                                                                        • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                        • Instruction ID: 59eb8d9737f28e60d706c49da8d2d835560f49ba6dd06d18f3f6c075c8d21e7a
                                                                                                                                                        • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                        • Instruction Fuzzy Hash: 7471B631618B498FD759EFA8C4847AAB7F1FF58305F00062EE44AC7222EF75E9458B85
                                                                                                                                                        Function 0FC7D352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $.$e$n$v
                                                                                                                                                        • API String ID: 0-1849617553
                                                                                                                                                        • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                        • Instruction ID: c98c731e3796e3b5a0a31e8dc15bdac7d906720cca1f04173888532c1448ed15
                                                                                                                                                        • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                        • Instruction Fuzzy Hash: D47192716187498FD758EF68C4856AAB7F1FF98308F00062ED44AC7222EF75E9468B81
                                                                                                                                                        Function 0FD3DC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                        • API String ID: 0-1970020201
                                                                                                                                                        • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                        • Instruction ID: f67584cb235191c7af534752b8d355b583bfb5613c3216c13424446dd527d4bd
                                                                                                                                                        • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                        • Instruction Fuzzy Hash: F1515EB0918B4C8FDB94EFA4C0446EEB7F1FF58301F40462E959AE7215EF30A5418B9A
                                                                                                                                                        Function 0FC78C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                        • API String ID: 0-1970020201
                                                                                                                                                        • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                        • Instruction ID: 09bad2c5c92a454854401d86cd982b3dbc403bbd4493f68493dd43f4927a7403
                                                                                                                                                        • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                        • Instruction Fuzzy Hash: A2518DB0918B4C8FDB64EFA4C045AEEB7F1FF58300F40462E959AE7254EF3095459B89
                                                                                                                                                        Function 0FD3E86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4$\$dll$ion.$vers
                                                                                                                                                        • API String ID: 0-1610437797
                                                                                                                                                        • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                        • Instruction ID: f370bee3ed4abb7da0cb7bcb001f0bff30ccf19e53b7c57c35f4cfb1c0ae37e4
                                                                                                                                                        • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                        • Instruction Fuzzy Hash: EF416F30618B488BDBB9EF6498457EAB7E4FB98301F40462E998EC7241EF34E545C782
                                                                                                                                                        Function 0FC7986F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 4$\$dll$ion.$vers
                                                                                                                                                        • API String ID: 0-1610437797
                                                                                                                                                        • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                        • Instruction ID: ad11b5905f81efeaca65dc53dce878b80913e14db4cbfd0d6df200907d456d3b
                                                                                                                                                        • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                        • Instruction Fuzzy Hash: 46418330219B888FCB75EF2898467EBB3E4FB99315F40462E988EC7241EF30D5058782
                                                                                                                                                        Function 0FD404B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                        • API String ID: 0-327345718
                                                                                                                                                        • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                        • Instruction ID: 864c069703b5f46de60d7c068fc64f62149ca12dad0aaa303850bdd061772576
                                                                                                                                                        • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                        • Instruction Fuzzy Hash: DD415E30A18F0D8FCB99EF6880987ED77E1FB58301F40456AA90ED7252DA74E5808BC6
                                                                                                                                                        Function 0FC7B4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                        • API String ID: 0-327345718
                                                                                                                                                        • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                        • Instruction ID: 7a975a940d90b20b3ab0b864327c0c7c002b16cb8fe7832f8fb1ad3fed1816aa
                                                                                                                                                        • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                        • Instruction Fuzzy Hash: 6E417130A18F0D8FCB98EF6880967AD73E1FB98300F44056AA80ED7206DE75D9458B86
                                                                                                                                                        Function 0FD3E432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$el32$h$kern
                                                                                                                                                        • API String ID: 0-4264704552
                                                                                                                                                        • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                        • Instruction ID: ee47f773f80a411ec82a2d2a7d3ae47f1cfd7fa1c2f4d205bf34be7d38434acf
                                                                                                                                                        • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                        • Instruction Fuzzy Hash: 9241A470A08B4D4FD7A9DF2880943AAB7E1FB98301F504A2F959EC7296EF70D545CB42
                                                                                                                                                        Function 0FC79432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$el32$h$kern
                                                                                                                                                        • API String ID: 0-4264704552
                                                                                                                                                        • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                        • Instruction ID: 334cfea7031f9b79aea57234ccc3a55884e05f4f00de7a617a03e45eac4a093f
                                                                                                                                                        • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                        • Instruction Fuzzy Hash: 73418F70A08B488FD7A8DF29C0853AAB7E1FB98300F544B2E959EC7666DF70D545CB81
                                                                                                                                                        Function 0FD450B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                        • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                        • Instruction ID: d45a331bf96ce8896cac2838ba77a165b84f3f31d8e57199548ffff096c74841
                                                                                                                                                        • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                        • Instruction Fuzzy Hash: CB31DE3150CB886FC75AEF28D0846DAB7D4FB84300F50491EE49BC7296EA39A54ACB43
                                                                                                                                                        Function 0FC800B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                        • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                        • Instruction ID: 12279ab49c87bcbc7ee2138b09b62748532b377d5e93fe5bc86ddcf4f95afa1e
                                                                                                                                                        • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                        • Instruction Fuzzy Hash: C631E57151CB886FD72AEB28C4856DAB7D4FB84300F50491EE49BC7252EE74A54ACB43
                                                                                                                                                        Function 0FD450C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                        • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                        • Instruction ID: 2cb62beafcfa05b67762110f6c147aefd2866cfec7dbb8fa19b5770ba2be5314
                                                                                                                                                        • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                        • Instruction Fuzzy Hash: 9431E071508B486FD759EF28D4846EAB7D4FB94300F40491EE49BC7256EE34B506CB43
                                                                                                                                                        Function 0FC800C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                        • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                        • Instruction ID: 9ae1898c611e6541f4dbb1bed202de2cd7d9cc259c6c1601a4715066116614d5
                                                                                                                                                        • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                        • Instruction Fuzzy Hash: 3431D271518B486FD729EB28C4866EAB7D4FB94300F50491EE49BC7252EE74E50ACB83
                                                                                                                                                        Function 0FD40FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                        • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                        • Instruction ID: aba67d322578400f86edce39a34780e974b593b74353f6e0489484c2862d2d84
                                                                                                                                                        • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                        • Instruction Fuzzy Hash: D1318131518B484FCBC5EF689494BAAB7E1FF98300F84066D944ECB256DF34E945CB62
                                                                                                                                                        Function 0FC7BFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                        • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                        • Instruction ID: 89ee3fa3481bd1de9351925608f985b9e85741dd9dc3b0583fde71a3645f6805
                                                                                                                                                        • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                        • Instruction Fuzzy Hash: 9F319E30118B484FC784FF688496BAAB7E1FBD8204F94066D944ECB256DF34D64ACB92
                                                                                                                                                        Function 0FD40FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                        • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                        • Instruction ID: 6841ce8529b31618e1983a721643aee6ddf659b00942767e9c1728e3889060d9
                                                                                                                                                        • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                        • Instruction Fuzzy Hash: F331A031118B484FCBD5EF689494BAAB7E1FF98300F84062D944ECB256DF34E945CB62
                                                                                                                                                        Function 0FC7BFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                        • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                        • Instruction ID: 086ec14d59d8b57277fbb36f52399c367d85e0402d46ceffdc33faf6bb3630d7
                                                                                                                                                        • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                        • Instruction Fuzzy Hash: 9131BE30118B484FC784FF688496BAAB7E1FFD8300F94062D944ACB256DF34D60ADB82
                                                                                                                                                        Function 0FD438C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                        • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                        • Instruction ID: 0ee8b9e03941b3e7a1f032ae34b2eb5db701dfa170d13609789b36a7b0844856
                                                                                                                                                        • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                        • Instruction Fuzzy Hash: 9531DF31614B1D8BCB84EFA8C8847EEB7E0FB58204F40022AD54ED7241DF789A49C79A
                                                                                                                                                        Function 0FC7E8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                        • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                        • Instruction ID: fc08ff1e15b2e5ffdca01183d0261d94397acc4008d2fc038a5b38a18e5a7168
                                                                                                                                                        • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                        • Instruction Fuzzy Hash: FC31AE31614B4D8BCF44FFA8C8857EEB7E1FB58218F44422AD45ED7241EF78864A8789
                                                                                                                                                        Function 0FD438BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                        • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                        • Instruction ID: 54a9c7baa4e820db60138475015f0eb6a73a6b86ea8b178f42fd1a68e0e361bb
                                                                                                                                                        • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                        • Instruction Fuzzy Hash: 6621D530614B1D8BCB45EFA8C8447EDBBE4FF58204F40421AD45AD7241DF78A645C795
                                                                                                                                                        Function 0FC7E8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                        • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                        • Instruction ID: 9e7cba846ed5d32d17dff9a14a5eaaf6e50bb5dfa80c2c75084011f8529b2849
                                                                                                                                                        • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                        • Instruction Fuzzy Hash: EB21C331610B4D8ACF44FFA8C8457ED7BE1FF58214F44421AD45AD7241EF7886098789
                                                                                                                                                        Function 0FD44E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                        • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                        • Instruction ID: 8b5eacf00bc4eaccb54d2bbd0f823efef585e26d21d1dee76ee7a6c002ba3f41
                                                                                                                                                        • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                        • Instruction Fuzzy Hash: 3D218D70A64B0E9BDB48EFA8C0447EEBBF1FB18304F50462DD009E3601DB78A5918B94
                                                                                                                                                        Function 0FD44E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                        • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                        • Instruction ID: 711055ac22bf9089386de317a05f9e427138fd79bb3dfec1201edd32acd539f4
                                                                                                                                                        • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                        • Instruction Fuzzy Hash: 0C218070A54B0E9FDB44EFA8C0447AEBAF1FF18304F50462DD009D3611DB78A591CB94
                                                                                                                                                        Function 0FC7FE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                        • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                        • Instruction ID: 4fd860ffcc7784ad540dbab90ec24137912046077ab03c9c2b1eec750df45fed
                                                                                                                                                        • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                        • Instruction Fuzzy Hash: 82217C70A24B0D9BDB08FFA8C0457EABBF0FB18314F50462ED449D3601DBB895568B84
                                                                                                                                                        Function 0FC7FE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                        • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                        • Instruction ID: dc1abfadea318dc76d9431b96da69ceaf737872b68f403c0a2754e0bb4073543
                                                                                                                                                        • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                        • Instruction Fuzzy Hash: 44217C70A24B0E9BDB08FFA8C0457AEBBF0FB58314F50462ED449D3601DBB89556CB84
                                                                                                                                                        Function 0FD44FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165729598.000000000FD30000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FD30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fd30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: auth$logi$pass$user
                                                                                                                                                        • API String ID: 0-2393853802
                                                                                                                                                        • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                        • Instruction ID: b5c71d45fc1aab2b4ab4e277a25dfe3fbe734a5a0645759cd4fa90f50aef4175
                                                                                                                                                        • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                        • Instruction Fuzzy Hash: 7C21DF30614B0D8BCB85DF9D98807EEB7F1EF88344F045619E40AEB246D7B9E9149BD2
                                                                                                                                                        Function 0FC7FFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000007.00000002.4165313331.000000000FC30000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FC30000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_7_2_fc30000_explorer.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: auth$logi$pass$user
                                                                                                                                                        • API String ID: 0-2393853802
                                                                                                                                                        • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                        • Instruction ID: 841cf2bb2235bfa2cba947cd209c82f11dd3f69936df1fd3975bf0bed3514325
                                                                                                                                                        • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                        • Instruction Fuzzy Hash: 5721C030614B0D8BCF05EF9998816EEB7E1EF88358F044619D40AEB245DBB4E9598BC2

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:10.1%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                        Total number of Nodes:172
                                                                                                                                                        Total number of Limit Nodes:8
                                                                                                                                                        execution_graph 21811 81d040 21812 81d086 GetCurrentProcess 21811->21812 21814 81d0d1 21812->21814 21815 81d0d8 GetCurrentThread 21812->21815 21814->21815 21816 81d115 GetCurrentProcess 21815->21816 21817 81d10e 21815->21817 21818 81d14b 21816->21818 21817->21816 21819 81d173 GetCurrentThreadId 21818->21819 21820 81d1a4 21819->21820 21821 81d690 DuplicateHandle 21822 81d726 21821->21822 21844 81acb0 21845 81acbf 21844->21845 21848 81ad97 21844->21848 21853 81ada8 21844->21853 21849 81addc 21848->21849 21850 81adb9 21848->21850 21849->21845 21850->21849 21851 81afe0 GetModuleHandleW 21850->21851 21852 81b00d 21851->21852 21852->21845 21854 81addc 21853->21854 21855 81adb9 21853->21855 21854->21845 21855->21854 21856 81afe0 GetModuleHandleW 21855->21856 21857 81b00d 21856->21857 21857->21845 21823 814668 21824 81467a 21823->21824 21825 814686 21824->21825 21827 814779 21824->21827 21828 81479d 21827->21828 21832 814879 21828->21832 21836 814888 21828->21836 21833 8148af 21832->21833 21835 81498c 21833->21835 21840 8144b4 21833->21840 21837 8148af 21836->21837 21838 8144b4 CreateActCtxA 21837->21838 21839 81498c 21837->21839 21838->21839 21841 815918 CreateActCtxA 21840->21841 21843 8159db 21841->21843 21858 6ab4cd1 21859 6ab4cdb 21858->21859 21860 6ab4c31 21858->21860 21864 6ab6ca1 21859->21864 21881 6ab6d10 21859->21881 21897 6ab6d20 21859->21897 21865 6ab6d09 21864->21865 21866 6ab6caa 21864->21866 21913 6ab74af 21865->21913 21917 6ab71b4 21865->21917 21922 6ab76d5 21865->21922 21927 6ab7691 21865->21927 21931 6ab7c33 21865->21931 21935 6ab7733 21865->21935 21939 6ab727b 21865->21939 21945 6ab7644 21865->21945 21951 6ab7466 21865->21951 21956 6ab79a2 21865->21956 21961 6ab7283 21865->21961 21966 6ab776c 21865->21966 21971 6ab756d 21865->21971 21866->21860 21867 6ab6d5e 21867->21860 21883 6ab6d20 21881->21883 21882 6ab6d5e 21882->21860 21884 6ab74af 2 API calls 21883->21884 21885 6ab756d 2 API calls 21883->21885 21886 6ab776c 2 API calls 21883->21886 21887 6ab7283 2 API calls 21883->21887 21888 6ab79a2 2 API calls 21883->21888 21889 6ab7466 2 API calls 21883->21889 21890 6ab7644 2 API calls 21883->21890 21891 6ab727b 2 API calls 21883->21891 21892 6ab7733 2 API calls 21883->21892 21893 6ab7c33 2 API calls 21883->21893 21894 6ab7691 2 API calls 21883->21894 21895 6ab76d5 2 API calls 21883->21895 21896 6ab71b4 2 API calls 21883->21896 21884->21882 21885->21882 21886->21882 21887->21882 21888->21882 21889->21882 21890->21882 21891->21882 21892->21882 21893->21882 21894->21882 21895->21882 21896->21882 21898 6ab6d3a 21897->21898 21900 6ab74af 2 API calls 21898->21900 21901 6ab756d 2 API calls 21898->21901 21902 6ab776c 2 API calls 21898->21902 21903 6ab7283 2 API calls 21898->21903 21904 6ab79a2 2 API calls 21898->21904 21905 6ab7466 2 API calls 21898->21905 21906 6ab7644 2 API calls 21898->21906 21907 6ab727b 2 API calls 21898->21907 21908 6ab7733 2 API calls 21898->21908 21909 6ab7c33 2 API calls 21898->21909 21910 6ab7691 2 API calls 21898->21910 21911 6ab76d5 2 API calls 21898->21911 21912 6ab71b4 2 API calls 21898->21912 21899 6ab6d5e 21899->21860 21900->21899 21901->21899 21902->21899 21903->21899 21904->21899 21905->21899 21906->21899 21907->21899 21908->21899 21909->21899 21910->21899 21911->21899 21912->21899 21976 6ab4598 21913->21976 21980 6ab4591 21913->21980 21914 6ab73f7 21914->21867 21918 6ab7205 21917->21918 21984 6ab4820 21918->21984 21988 6ab4814 21918->21988 21923 6ab76fe 21922->21923 21992 6ab3ad8 21923->21992 21996 6ab3ae0 21923->21996 21924 6ab7713 21929 6ab4598 WriteProcessMemory 21927->21929 21930 6ab4591 WriteProcessMemory 21927->21930 21928 6ab7627 21928->21867 21929->21928 21930->21928 22000 6ab3b88 21931->22000 22004 6ab3b90 21931->22004 21932 6ab7c4d 21937 6ab3b88 Wow64SetThreadContext 21935->21937 21938 6ab3b90 Wow64SetThreadContext 21935->21938 21936 6ab774d 21937->21936 21938->21936 21940 6ab720e 21939->21940 21941 6ab71ea 21940->21941 21943 6ab4820 CreateProcessA 21940->21943 21944 6ab4814 CreateProcessA 21940->21944 21941->21867 21942 6ab72db 21942->21867 21943->21942 21944->21942 21946 6ab764a 21945->21946 21948 6ab7303 21946->21948 22008 6ab44d8 21946->22008 22012 6ab44d0 21946->22012 21947 6ab7669 21947->21867 21948->21867 21952 6ab746c 21951->21952 22016 6ab4688 21952->22016 22020 6ab4680 21952->22020 21953 6ab748f 21953->21867 21957 6ab7783 21956->21957 21958 6ab76d4 21956->21958 21959 6ab4598 WriteProcessMemory 21957->21959 21960 6ab4591 WriteProcessMemory 21957->21960 21959->21958 21960->21958 21962 6ab71cf 21961->21962 21964 6ab4820 CreateProcessA 21962->21964 21965 6ab4814 CreateProcessA 21962->21965 21963 6ab72db 21963->21867 21964->21963 21965->21963 21967 6ab7772 21966->21967 21969 6ab4598 WriteProcessMemory 21967->21969 21970 6ab4591 WriteProcessMemory 21967->21970 21968 6ab76d4 21969->21968 21970->21968 21972 6ab757a 21971->21972 21974 6ab3ad8 ResumeThread 21972->21974 21975 6ab3ae0 ResumeThread 21972->21975 21973 6ab7713 21974->21973 21975->21973 21977 6ab45e0 WriteProcessMemory 21976->21977 21979 6ab4637 21977->21979 21979->21914 21981 6ab45e0 WriteProcessMemory 21980->21981 21983 6ab4637 21981->21983 21983->21914 21985 6ab48a9 21984->21985 21985->21985 21986 6ab4a0e CreateProcessA 21985->21986 21987 6ab4a6b 21986->21987 21989 6ab480f 21988->21989 21989->21988 21989->21989 21990 6ab4a0e CreateProcessA 21989->21990 21991 6ab4a6b 21990->21991 21993 6ab3b20 ResumeThread 21992->21993 21995 6ab3b51 21993->21995 21995->21924 21997 6ab3b20 ResumeThread 21996->21997 21999 6ab3b51 21997->21999 21999->21924 22001 6ab3bd5 Wow64SetThreadContext 22000->22001 22003 6ab3c1d 22001->22003 22003->21932 22005 6ab3bd5 Wow64SetThreadContext 22004->22005 22007 6ab3c1d 22005->22007 22007->21932 22009 6ab4518 VirtualAllocEx 22008->22009 22011 6ab4555 22009->22011 22011->21947 22013 6ab4518 VirtualAllocEx 22012->22013 22015 6ab4555 22013->22015 22015->21947 22017 6ab46d3 ReadProcessMemory 22016->22017 22019 6ab4717 22017->22019 22019->21953 22021 6ab4677 22020->22021 22021->22020 22022 6ab46e6 ReadProcessMemory 22021->22022 22023 6ab4717 22022->22023 22023->21953 22024 6ab7ed0 22025 6ab805b 22024->22025 22027 6ab7ef6 22024->22027 22027->22025 22028 6ab56fc 22027->22028 22029 6ab8150 PostMessageW 22028->22029 22030 6ab81bc 22029->22030 22030->22027

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 0081D031 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 294 81d031-81d0cf GetCurrentProcess 298 81d0d1-81d0d7 294->298 299 81d0d8-81d10c GetCurrentThread 294->299 298->299 300 81d115-81d149 GetCurrentProcess 299->300 301 81d10e-81d114 299->301 303 81d152-81d16d call 81d618 300->303 304 81d14b-81d151 300->304 301->300 307 81d173-81d1a2 GetCurrentThreadId 303->307 304->303 308 81d1a4-81d1aa 307->308 309 81d1ab-81d20d 307->309 308->309
                                                                                                                                                        APIs
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0081D0BE
                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 0081D0FB
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0081D138
                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0081D191
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                        • Opcode ID: c7223b94252cac084c8e5a18fb1024eb4b94a968981d55d941a9752ee1b71602
                                                                                                                                                        • Instruction ID: 12768e44cda663a2a33e0d40c0f3ef5669c833950ac8d2dacc6aba2f74eb4a2c
                                                                                                                                                        • Opcode Fuzzy Hash: c7223b94252cac084c8e5a18fb1024eb4b94a968981d55d941a9752ee1b71602
                                                                                                                                                        • Instruction Fuzzy Hash: C15167B09003498FDB18CFA9D948BDEBBF5FF48314F24845AE509A7390DB746984CB65
                                                                                                                                                        Function 0081D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 316 81d040-81d0cf GetCurrentProcess 320 81d0d1-81d0d7 316->320 321 81d0d8-81d10c GetCurrentThread 316->321 320->321 322 81d115-81d149 GetCurrentProcess 321->322 323 81d10e-81d114 321->323 325 81d152-81d16d call 81d618 322->325 326 81d14b-81d151 322->326 323->322 329 81d173-81d1a2 GetCurrentThreadId 325->329 326->325 330 81d1a4-81d1aa 329->330 331 81d1ab-81d20d 329->331 330->331
                                                                                                                                                        APIs
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0081D0BE
                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 0081D0FB
                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0081D138
                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0081D191
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                        • Opcode ID: b06c9af0c8e26669cc1eb28b0e369d79e7685ff8d3355e12224acea24c66462f
                                                                                                                                                        • Instruction ID: 546fa24475b4bc2b3077adfeb23335aabccf0a6830a563f99368e6d9a7c2c7ba
                                                                                                                                                        • Opcode Fuzzy Hash: b06c9af0c8e26669cc1eb28b0e369d79e7685ff8d3355e12224acea24c66462f
                                                                                                                                                        • Instruction Fuzzy Hash: 025165B09007499FEB14CFA9C988BDEBBF5FF48314F24845AE409A7350DB74A984CB65
                                                                                                                                                        Function 06AB4814 Relevance: 1.8, APIs: 1, Instructions: 258processCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 475 6ab4814-6ab4818 476 6ab481a-6ab481d 475->476 477 6ab4861-6ab48b5 475->477 478 6ab480f-6ab4813 476->478 479 6ab481f-6ab485b 476->479 481 6ab48ee-6ab490e 477->481 482 6ab48b7-6ab48c1 477->482 478->475 479->477 487 6ab4910-6ab491a 481->487 488 6ab4947-6ab4976 481->488 482->481 483 6ab48c3-6ab48c5 482->483 485 6ab48e8-6ab48eb 483->485 486 6ab48c7-6ab48d1 483->486 485->481 489 6ab48d3 486->489 490 6ab48d5-6ab48e4 486->490 487->488 491 6ab491c-6ab491e 487->491 498 6ab4978-6ab4982 488->498 499 6ab49af-6ab4a07 488->499 489->490 490->490 492 6ab48e6 490->492 493 6ab4941-6ab4944 491->493 494 6ab4920-6ab492a 491->494 492->485 493->488 496 6ab492e-6ab493d 494->496 497 6ab492c 494->497 496->496 500 6ab493f 496->500 497->496 498->499 501 6ab4984-6ab4986 498->501 509 6ab4a0e-6ab4a69 CreateProcessA 499->509 500->493 503 6ab49a9-6ab49ac 501->503 504 6ab4988-6ab4992 501->504 503->499 505 6ab4996-6ab49a5 504->505 506 6ab4994 504->506 505->505 507 6ab49a7 505->507 506->505 507->503 510 6ab4a6b-6ab4a71 509->510 511 6ab4a72-6ab4af8 509->511 510->511 521 6ab4afa-6ab4afe 511->521 522 6ab4b08-6ab4b0c 511->522 521->522 523 6ab4b00 521->523 524 6ab4b0e-6ab4b12 522->524 525 6ab4b1c-6ab4b20 522->525 523->522 524->525 526 6ab4b14 524->526 527 6ab4b22-6ab4b26 525->527 528 6ab4b30-6ab4b34 525->528 526->525 527->528 531 6ab4b28 527->531 529 6ab4b46-6ab4b4d 528->529 530 6ab4b36-6ab4b3c 528->530 532 6ab4b4f-6ab4b5e 529->532 533 6ab4b64 529->533 530->529 531->528 532->533 535 6ab4b65 533->535 535->535
                                                                                                                                                        APIs
                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AB4A56
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                        • Opcode ID: 256498edf9fefffeae29414c8283c3eef6fd1959e3be4c0c0d378a1aff51bbbf
                                                                                                                                                        • Instruction ID: b0ce04ab570ad19e446a3fea66f1184cceb46e84f32b096312b5eb3841920345
                                                                                                                                                        • Opcode Fuzzy Hash: 256498edf9fefffeae29414c8283c3eef6fd1959e3be4c0c0d378a1aff51bbbf
                                                                                                                                                        • Instruction Fuzzy Hash: 37A16871D002598FEB60DFA8C941BEDBBF6EF48310F0485A9E808A7246DB749985CF91
                                                                                                                                                        Function 06AB4820 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 536 6ab4820-6ab48b5 538 6ab48ee-6ab490e 536->538 539 6ab48b7-6ab48c1 536->539 544 6ab4910-6ab491a 538->544 545 6ab4947-6ab4976 538->545 539->538 540 6ab48c3-6ab48c5 539->540 542 6ab48e8-6ab48eb 540->542 543 6ab48c7-6ab48d1 540->543 542->538 546 6ab48d3 543->546 547 6ab48d5-6ab48e4 543->547 544->545 548 6ab491c-6ab491e 544->548 555 6ab4978-6ab4982 545->555 556 6ab49af-6ab4a69 CreateProcessA 545->556 546->547 547->547 549 6ab48e6 547->549 550 6ab4941-6ab4944 548->550 551 6ab4920-6ab492a 548->551 549->542 550->545 553 6ab492e-6ab493d 551->553 554 6ab492c 551->554 553->553 557 6ab493f 553->557 554->553 555->556 558 6ab4984-6ab4986 555->558 567 6ab4a6b-6ab4a71 556->567 568 6ab4a72-6ab4af8 556->568 557->550 560 6ab49a9-6ab49ac 558->560 561 6ab4988-6ab4992 558->561 560->556 562 6ab4996-6ab49a5 561->562 563 6ab4994 561->563 562->562 564 6ab49a7 562->564 563->562 564->560 567->568 578 6ab4afa-6ab4afe 568->578 579 6ab4b08-6ab4b0c 568->579 578->579 580 6ab4b00 578->580 581 6ab4b0e-6ab4b12 579->581 582 6ab4b1c-6ab4b20 579->582 580->579 581->582 583 6ab4b14 581->583 584 6ab4b22-6ab4b26 582->584 585 6ab4b30-6ab4b34 582->585 583->582 584->585 588 6ab4b28 584->588 586 6ab4b46-6ab4b4d 585->586 587 6ab4b36-6ab4b3c 585->587 589 6ab4b4f-6ab4b5e 586->589 590 6ab4b64 586->590 587->586 588->585 589->590 592 6ab4b65 590->592 592->592
                                                                                                                                                        APIs
                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AB4A56
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                        • Opcode ID: b1ef979d02b01efcacb44f4541d0630463df4784eda9a8c02737c8c31e43d45a
                                                                                                                                                        • Instruction ID: c2577a79d4adb49210453f1b0dcc045dd76760f3b2cac035816e4295ef3b5f9c
                                                                                                                                                        • Opcode Fuzzy Hash: b1ef979d02b01efcacb44f4541d0630463df4784eda9a8c02737c8c31e43d45a
                                                                                                                                                        • Instruction Fuzzy Hash: AA914671D002598BDB60DFA9C941BEEBBF6EB48310F1485A9E808A7246DB749981CF91
                                                                                                                                                        Function 0081ADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 593 81ada8-81adb7 594 81ade3-81ade7 593->594 595 81adb9-81adc6 call 81a0cc 593->595 596 81ade9-81adf3 594->596 597 81adfb-81ae3c 594->597 600 81adc8 595->600 601 81addc 595->601 596->597 604 81ae49-81ae57 597->604 605 81ae3e-81ae46 597->605 648 81adce call 81b030 600->648 649 81adce call 81b040 600->649 601->594 607 81ae59-81ae5e 604->607 608 81ae7b-81ae7d 604->608 605->604 606 81add4-81add6 606->601 611 81af18-81afd8 606->611 609 81ae60-81ae67 call 81a0d8 607->609 610 81ae69 607->610 612 81ae80-81ae87 608->612 616 81ae6b-81ae79 609->616 610->616 643 81afe0-81b00b GetModuleHandleW 611->643 644 81afda-81afdd 611->644 614 81ae94-81ae9b 612->614 615 81ae89-81ae91 612->615 619 81aea8-81aeaa call 81a0e8 614->619 620 81ae9d-81aea5 614->620 615->614 616->612 623 81aeaf-81aeb1 619->623 620->619 624 81aeb3-81aebb 623->624 625 81aebe-81aec3 623->625 624->625 627 81aee1-81aeee 625->627 628 81aec5-81aecc 625->628 634 81af11-81af17 627->634 635 81aef0-81af0e 627->635 628->627 629 81aece-81aede call 81a0f8 call 81a108 628->629 629->627 635->634 645 81b014-81b028 643->645 646 81b00d-81b013 643->646 644->643 646->645 648->606 649->606
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0081AFFE
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                        • Opcode ID: 98d1c30b7e275dc64acea8a4619b2bed8021b60ba3e33707331a5fad85b13285
                                                                                                                                                        • Instruction ID: e1e5828e9a51208132984de14e737843f88d47d20947e0df2881ba6d476a5900
                                                                                                                                                        • Opcode Fuzzy Hash: 98d1c30b7e275dc64acea8a4619b2bed8021b60ba3e33707331a5fad85b13285
                                                                                                                                                        • Instruction Fuzzy Hash: 8F713770A01B058FD728DF69D44179ABBF5FF88304F00892DE48AD7A50DB75E989CB92
                                                                                                                                                        Function 0081590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 650 81590c-8159d9 CreateActCtxA 652 8159e2-815a3c 650->652 653 8159db-8159e1 650->653 660 815a4b-815a4f 652->660 661 815a3e-815a41 652->661 653->652 662 815a51-815a5d 660->662 663 815a60 660->663 661->660 662->663 665 815a61 663->665 665->665
                                                                                                                                                        APIs
                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 008159C9
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Create
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                        • Opcode ID: 3ffea4dd9dd6d1ad08fccb26d9f5c53e58316adbc7a130ddd1b76ce6d066a18f
                                                                                                                                                        • Instruction ID: d8909a457ac7a2680131ed272422897a05a3da39bd696a2f48ea78de5b55586b
                                                                                                                                                        • Opcode Fuzzy Hash: 3ffea4dd9dd6d1ad08fccb26d9f5c53e58316adbc7a130ddd1b76ce6d066a18f
                                                                                                                                                        • Instruction Fuzzy Hash: 1C41E3B0C00719CBDB24CFA9C984BDEBBB6FF89314F20815AD409AB251DB756946CF50
                                                                                                                                                        Function 008144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 666 8144b4-8159d9 CreateActCtxA 669 8159e2-815a3c 666->669 670 8159db-8159e1 666->670 677 815a4b-815a4f 669->677 678 815a3e-815a41 669->678 670->669 679 815a51-815a5d 677->679 680 815a60 677->680 678->677 679->680 682 815a61 680->682 682->682
                                                                                                                                                        APIs
                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 008159C9
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Create
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                        • Opcode ID: 1c00d9c79dbc3cb96662c48a3325e43089f31d24d2e9a14c4f29cf6b6f18d5a2
                                                                                                                                                        • Instruction ID: 8ff9ba1dca8676391755cbbd32e187e92a9924e86e375d84a1ea09a9bb40126e
                                                                                                                                                        • Opcode Fuzzy Hash: 1c00d9c79dbc3cb96662c48a3325e43089f31d24d2e9a14c4f29cf6b6f18d5a2
                                                                                                                                                        • Instruction Fuzzy Hash: EF41B2B0C00719CBDB24CFA9C984BDEBBB9FF89304F20816AD409AB251DB756945CF90
                                                                                                                                                        Function 06AB4680 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 693 6ab4680-6ab4685 694 6ab4677-6ab467f 693->694 695 6ab4687-6ab46df 693->695 694->693 697 6ab46e6-6ab4715 ReadProcessMemory 695->697 698 6ab471e-6ab474e 697->698 699 6ab4717-6ab471d 697->699 699->698
                                                                                                                                                        APIs
                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AB4708
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                        • Opcode ID: 364a9c1a389007566e6ba75c4799921d10ddf4e9e400839863362c6ac1873088
                                                                                                                                                        • Instruction ID: fe7bf2d3de1c12a1968ad542724367e6a19da086f9e5f2c565efafdeb100efc6
                                                                                                                                                        • Opcode Fuzzy Hash: 364a9c1a389007566e6ba75c4799921d10ddf4e9e400839863362c6ac1873088
                                                                                                                                                        • Instruction Fuzzy Hash: A2217AB1C053999FCB11CFA9C880ADEBFF5FF49320F14842AE558A7252C7789904CBA1
                                                                                                                                                        Function 06AB4591 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 683 6ab4591-6ab45e6 685 6ab45e8-6ab45f4 683->685 686 6ab45f6-6ab4635 WriteProcessMemory 683->686 685->686 688 6ab463e-6ab466e 686->688 689 6ab4637-6ab463d 686->689 689->688
                                                                                                                                                        APIs
                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AB4628
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                        • Opcode ID: 2099a2163a4421aa223270bd8d63b5bd7868ef097dc4f811e6f01fe23f3e2bd2
                                                                                                                                                        • Instruction ID: c8f72b35dd72d0623e9b4a6a089af117afa948cd65d048cf64219fe01c96f27e
                                                                                                                                                        • Opcode Fuzzy Hash: 2099a2163a4421aa223270bd8d63b5bd7868ef097dc4f811e6f01fe23f3e2bd2
                                                                                                                                                        • Instruction Fuzzy Hash: E62144B19002499FDB10CFAAC881BDEBBF5FF48320F14842AE919A7241D7789940CBA0
                                                                                                                                                        Function 06AB4598 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 703 6ab4598-6ab45e6 705 6ab45e8-6ab45f4 703->705 706 6ab45f6-6ab4635 WriteProcessMemory 703->706 705->706 708 6ab463e-6ab466e 706->708 709 6ab4637-6ab463d 706->709 709->708
                                                                                                                                                        APIs
                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AB4628
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                        • Opcode ID: 3065b16f683b992f21a36ba04e1239b4b81558f1e15479485e4f655288a458cd
                                                                                                                                                        • Instruction ID: 07a2de616ec094d9ceb33f7606eb3a84c3440b24c0f96d959d6f3f32c858067d
                                                                                                                                                        • Opcode Fuzzy Hash: 3065b16f683b992f21a36ba04e1239b4b81558f1e15479485e4f655288a458cd
                                                                                                                                                        • Instruction Fuzzy Hash: D82126B1D003599FDB10DFA9C981BDEBBF5FF48310F14842AE918A7241D7789940DBA5
                                                                                                                                                        Function 06AB3B88 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 713 6ab3b88-6ab3bdb 715 6ab3beb-6ab3c1b Wow64SetThreadContext 713->715 716 6ab3bdd-6ab3be9 713->716 718 6ab3c1d-6ab3c23 715->718 719 6ab3c24-6ab3c54 715->719 716->715 718->719
                                                                                                                                                        APIs
                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AB3C0E
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                        • Opcode ID: b09c1cafcf9656ae7454ccec258a7daf8de9ded01b08824d44d37adc25cb1b5e
                                                                                                                                                        • Instruction ID: 8166e41de202a1cf1d98b7263196c8f71fac53374f5bffe2eeaf34cce8a23bdb
                                                                                                                                                        • Opcode Fuzzy Hash: b09c1cafcf9656ae7454ccec258a7daf8de9ded01b08824d44d37adc25cb1b5e
                                                                                                                                                        • Instruction Fuzzy Hash: 4C215971D102198FDB10DFAAC4817EEFBF9EF48324F14842AD519A7241D7789945CBA1
                                                                                                                                                        Function 06AB4688 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AB4708
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                        • Opcode ID: 5116255ad0acc40345e86b3d1c9345102bcb62dc3ab096994433fc487a9fc71b
                                                                                                                                                        • Instruction ID: 41a390172c7588f86b0e4eb43f7048ff5a3e384bfb87b4db8f3c1926aed7fe15
                                                                                                                                                        • Opcode Fuzzy Hash: 5116255ad0acc40345e86b3d1c9345102bcb62dc3ab096994433fc487a9fc71b
                                                                                                                                                        • Instruction Fuzzy Hash: F82128B1D003599FDB10DFAAC881ADEFBF5FF48320F14842AE518A7241D7789540DBA5
                                                                                                                                                        Function 06AB3B90 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AB3C0E
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                        • Opcode ID: e70e2b001a6292761c59e4dea0322254a6cf2812d8e5b53c7ec5950eedc63826
                                                                                                                                                        • Instruction ID: d43f3b69962c9d4a5fa8c85f95350c0ed944e778d650981dd0f5f45a4e1fa6c9
                                                                                                                                                        • Opcode Fuzzy Hash: e70e2b001a6292761c59e4dea0322254a6cf2812d8e5b53c7ec5950eedc63826
                                                                                                                                                        • Instruction Fuzzy Hash: C8213971D002198FDB50DFAAC4857EEBBF8EF48324F148429D519A7241C778A945CBA5
                                                                                                                                                        Function 0081D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0081D717
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                        • Opcode ID: 7f8fec8fdacd196c4351820f5b5be38e8a6c62c8488c185d66825eddd9dacf18
                                                                                                                                                        • Instruction ID: 668500231602852b020deabcc2d0b420d2b5caa487bae8dbc0f1ea4d015ab2a9
                                                                                                                                                        • Opcode Fuzzy Hash: 7f8fec8fdacd196c4351820f5b5be38e8a6c62c8488c185d66825eddd9dacf18
                                                                                                                                                        • Instruction Fuzzy Hash: FB21E3B5900248DFDB10CF9AD984ADEBBF9FB48320F14841AE918A3350D374A954CFA4
                                                                                                                                                        Function 0081D689 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0081D717
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                        • Opcode ID: ec42ef9ee4cf3055f787635c5fdbd12e436e7d5b7526d46d400284d25ac72509
                                                                                                                                                        • Instruction ID: b403612863825c5853bb78f5f1d0a118bff469880343bbba97226b6b645c6e21
                                                                                                                                                        • Opcode Fuzzy Hash: ec42ef9ee4cf3055f787635c5fdbd12e436e7d5b7526d46d400284d25ac72509
                                                                                                                                                        • Instruction Fuzzy Hash: 5121E2B5D00249DFDB10CFA9D580ADEBBF9FB48324F24841AE918A7350C378A954CFA4
                                                                                                                                                        Function 06AB44D0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AB4546
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                        • Opcode ID: e640dce0c4bca0356b44df9bb59df4c85348d253d836a32cf4c9fc55c46942dd
                                                                                                                                                        • Instruction ID: ff577a40266891f2c9b409f5724ff55da5cba4d7d8476df6d38a5a7c053fb1ce
                                                                                                                                                        • Opcode Fuzzy Hash: e640dce0c4bca0356b44df9bb59df4c85348d253d836a32cf4c9fc55c46942dd
                                                                                                                                                        • Instruction Fuzzy Hash: 221159759002499FDF10DFA9D845BDEBFF9EF88320F148419E519A7250C7759940CFA1
                                                                                                                                                        Function 06AB3AD8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                        • Opcode ID: 45b663dca70d14dfde991c8b0284c27f0cb1106db4450d84bc1798956d43fe89
                                                                                                                                                        • Instruction ID: 03684bec6126d37824a6637550a7741e1caed30e0b5166b6c3c31918078fc0b5
                                                                                                                                                        • Opcode Fuzzy Hash: 45b663dca70d14dfde991c8b0284c27f0cb1106db4450d84bc1798956d43fe89
                                                                                                                                                        • Instruction Fuzzy Hash: F8118BB1D002498BDB20DFAAC4457DEFFF9EF88324F248419D519A7201D7745501CBA4
                                                                                                                                                        Function 06AB44D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AB4546
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                        • Opcode ID: fdc345dbf43b817661215bff7cc675977b92d06672f2f396efae8b339edb5f66
                                                                                                                                                        • Instruction ID: 61681a7da423fef8c4fb260b9ea9a3d37cfeddf5c015219d3c11edcad906c36a
                                                                                                                                                        • Opcode Fuzzy Hash: fdc345dbf43b817661215bff7cc675977b92d06672f2f396efae8b339edb5f66
                                                                                                                                                        • Instruction Fuzzy Hash: 831167719002499FDF10DFAAC845BDEBFF9EF88320F248419E519A7250C775A900CFA4
                                                                                                                                                        Function 06AB3AE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                        • Opcode ID: 0cc1b42c0567aa4be06de60a91b8b900a4d0e16b7e700e54790c46fb789920b8
                                                                                                                                                        • Instruction ID: ea656dd0b85a836f6c36210505421bd71af01d906f2073491c40cf068c13ebb8
                                                                                                                                                        • Opcode Fuzzy Hash: 0cc1b42c0567aa4be06de60a91b8b900a4d0e16b7e700e54790c46fb789920b8
                                                                                                                                                        • Instruction Fuzzy Hash: B5116AB1D003498FDB20DFAAC445BDEFBF9EF88324F248419D519A7240C7756900CBA4
                                                                                                                                                        Function 06AB56FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AB81AD
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                        • Opcode ID: 5a492c994f9eda734816605704640b77f52cffa9c417476272e3b247bc6ba15c
                                                                                                                                                        • Instruction ID: eb1e6448bae6b52df761e2b5857416386cabe61673f8385887747ce374b841b6
                                                                                                                                                        • Opcode Fuzzy Hash: 5a492c994f9eda734816605704640b77f52cffa9c417476272e3b247bc6ba15c
                                                                                                                                                        • Instruction Fuzzy Hash: 6F11F5B5800349DFDB10DF99D985BDEBBF8EB48320F14841AE514A7201C379A944CFA5
                                                                                                                                                        Function 06AB814A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AB81AD
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1787742385.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_6ab0000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                        • Opcode ID: a9d3d3c2cd9f23464461e31bdff63edd86453f25269a85ec5d2be448e002423a
                                                                                                                                                        • Instruction ID: 872fa208daea90be07104f17921f7efc7b087f5bf1b4f5276b2e8efd7ce9c12f
                                                                                                                                                        • Opcode Fuzzy Hash: a9d3d3c2cd9f23464461e31bdff63edd86453f25269a85ec5d2be448e002423a
                                                                                                                                                        • Instruction Fuzzy Hash: FA11F2B5810349DFDB10DF9AD985BDEBFF8EB48324F24841AE558A7210C379A944CFA1
                                                                                                                                                        Function 0081AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0081AFFE
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1764067607.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_810000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                        • Opcode ID: d149137a0de74e058d1921496d1877c54e507dd911f99a7e3258b9182d6de07e
                                                                                                                                                        • Instruction ID: d7a4e0afb81e343940348c95acdf49d93143ca83e6ae2cbf536ea4538232c3c0
                                                                                                                                                        • Opcode Fuzzy Hash: d149137a0de74e058d1921496d1877c54e507dd911f99a7e3258b9182d6de07e
                                                                                                                                                        • Instruction Fuzzy Hash: 92110FB5C006498FDB24CF9AC444ADEFBF8EF88324F14841AD928A7210D379A545CFA1
                                                                                                                                                        Function 0065D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760851450.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_65d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 51904add3dd4c27392d2a595ce224a15c301c328300cdd63ea94ff0639dccac7
                                                                                                                                                        • Instruction ID: d0f9624d74cc0a2a257da75fccd4fe97edb0d5bd6ded8147603675f059e8fb2c
                                                                                                                                                        • Opcode Fuzzy Hash: 51904add3dd4c27392d2a595ce224a15c301c328300cdd63ea94ff0639dccac7
                                                                                                                                                        • Instruction Fuzzy Hash: 702133B1504200EFCB25DF14C9C0B26BF66FB88319F20C569EC090B296C336D85ACAA1
                                                                                                                                                        Function 0065D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760851450.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_65d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8e6ff567e8849e394e91698c2336744714ac9855194d439f422a96e8f4b74e59
                                                                                                                                                        • Instruction ID: 83d34a9584e69583da52ddec22b3fe11dcbc54f09af3b3debad28be2b1bc4fb1
                                                                                                                                                        • Opcode Fuzzy Hash: 8e6ff567e8849e394e91698c2336744714ac9855194d439f422a96e8f4b74e59
                                                                                                                                                        • Instruction Fuzzy Hash: 3E2148B1104200DFDB24DF04C9C0B26BFA6FB94325F20C569ED090B396C336E84ACBA2
                                                                                                                                                        Function 0066D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760939075.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_66d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cb81811ad5260b3ef23b032afb0f219ae5dfc58707e49ada42c80ab91a241e33
                                                                                                                                                        • Instruction ID: bc267334b74344bf659bf37507f32febb9ad1dd73cc0ac0899a19da4f9a108c9
                                                                                                                                                        • Opcode Fuzzy Hash: cb81811ad5260b3ef23b032afb0f219ae5dfc58707e49ada42c80ab91a241e33
                                                                                                                                                        • Instruction Fuzzy Hash: A92129B1A04240EFDB15DF14D5D0B26BB6AFB84314F24C56DEA094B355C336D946CB61
                                                                                                                                                        Function 0066D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760939075.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_66d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2c2845a5b4f611b2f14ba92405af2b2075a7e1c5af5ba05a840fb8327171c725
                                                                                                                                                        • Instruction ID: 31b13277f5d6f7059df44e5fa887f5c753bca832b116524864fc95558cb5d7bb
                                                                                                                                                        • Opcode Fuzzy Hash: 2c2845a5b4f611b2f14ba92405af2b2075a7e1c5af5ba05a840fb8327171c725
                                                                                                                                                        • Instruction Fuzzy Hash: F321F2B5A04240DFCB14DF14D9C0B26BB66FB88314F24C96DE90A4B396C33BD847CAA1
                                                                                                                                                        Function 0065D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760851450.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_65d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction ID: e03298d6ac1323936434d722b8c81a865c1f9eddbc7cf3bc2ba66e658391cf68
                                                                                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction Fuzzy Hash: FF11E172404280CFCB12CF10D5C0B56BF72FB94318F24C6A9DC090B656C33AD85ACBA1
                                                                                                                                                        Function 0065D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760851450.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_65d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction ID: 05a9250b617b55ca38979a1d6557e7da66f5001f5905a6b495088c2217f18062
                                                                                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                        • Instruction Fuzzy Hash: 9F11DF72404240DFDB16CF00D5C0B56BFB2FB94324F24C2A9DC090B696C33AE85ACBA1
                                                                                                                                                        Function 0066D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760939075.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_66d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                        • Instruction ID: 51766627eebf27d0eda19811a6d6b1a435cc398c5f1f18e1d64ddfaa1320ef17
                                                                                                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                        • Instruction Fuzzy Hash: 25118E75A04280DFDB15CF14D5C4B55BB62FB84314F24C6AAD8494B756C33AD84ACB61
                                                                                                                                                        Function 0066D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000008.00000002.1760939075.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_8_2_66d000_OEcHGGP.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                        • Instruction ID: 65a376ec13e1545c0e708b8207ab9a891cda2585a69eb219fae88db6c8afc06f
                                                                                                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                        • Instruction Fuzzy Hash: 2D11BB75A04280DFCB12CF10C5D0B15BBA2FB84314F28C6AAD9494B796C33AD84ACB61

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:1.4%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:2.9%
                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                        Total number of Nodes:555
                                                                                                                                                        Total number of Limit Nodes:68
                                                                                                                                                        execution_graph 96857 1712ad0 LdrInitializeThunk 96858 41f0e0 96861 41b940 96858->96861 96862 41b966 96861->96862 96869 409d40 96862->96869 96864 41b972 96865 41b993 96864->96865 96877 40c1c0 96864->96877 96867 41b985 96913 41a680 96867->96913 96916 409c90 96869->96916 96871 409d4d 96872 409d54 96871->96872 96928 409c30 96871->96928 96872->96864 96878 40c1e5 96877->96878 97338 40b1c0 96878->97338 96880 40c23c 97342 40ae40 96880->97342 96882 40c4b3 96882->96867 96883 40c262 96883->96882 97351 4143a0 96883->97351 96885 40c2a7 96885->96882 97354 408a60 96885->97354 96887 40c2eb 96887->96882 97361 41a4d0 96887->97361 96891 40c341 96892 40c348 96891->96892 97373 419fe0 96891->97373 96893 41bd90 2 API calls 96892->96893 96895 40c355 96893->96895 96895->96867 96897 40c392 96898 41bd90 2 API calls 96897->96898 96899 40c399 96898->96899 96899->96867 96900 40c3a2 96901 40f4a0 3 API calls 96900->96901 96902 40c416 96901->96902 96902->96892 96903 40c421 96902->96903 96904 41bd90 2 API calls 96903->96904 96905 40c445 96904->96905 97379 41a030 96905->97379 96908 419fe0 2 API calls 96909 40c480 96908->96909 96909->96882 97384 419df0 96909->97384 96912 41a680 2 API calls 96912->96882 96914 41af30 LdrLoadDll 96913->96914 96915 41a69f ExitProcess 96914->96915 96915->96865 96917 409ca3 96916->96917 96967 418b90 LdrLoadDll 96916->96967 96947 418a40 96917->96947 96920 409cb6 96920->96871 96921 409cac 96921->96920 96950 41b280 96921->96950 96923 409cf3 96923->96920 96961 409ab0 96923->96961 96925 409d13 96968 409620 LdrLoadDll 96925->96968 96927 409d25 96927->96871 96929 409c4a 96928->96929 96930 41b570 LdrLoadDll 96928->96930 97312 41b570 96929->97312 96930->96929 96933 41b570 LdrLoadDll 96934 409c71 96933->96934 96935 40f180 96934->96935 96936 40f199 96935->96936 97321 40b040 96936->97321 96938 40f1ac 97325 41a1b0 96938->97325 96941 409d65 96941->96864 96943 40f1d2 96944 40f1fd 96943->96944 97331 41a230 96943->97331 96946 41a460 2 API calls 96944->96946 96946->96941 96969 41a5d0 96947->96969 96951 41b299 96950->96951 96982 414a50 96951->96982 96953 41b2b1 96954 41b2ba 96953->96954 97021 41b0c0 96953->97021 96954->96923 96956 41b2ce 96956->96954 97039 419ed0 96956->97039 97290 407ea0 96961->97290 96963 409ad1 96963->96925 96964 409aca 96964->96963 97303 408160 96964->97303 96967->96917 96968->96927 96972 41af30 96969->96972 96971 418a55 96971->96921 96973 41af40 96972->96973 96974 41af62 96972->96974 96976 414e50 96973->96976 96974->96971 96977 414e6a 96976->96977 96978 414e5e 96976->96978 96977->96974 96978->96977 96981 4152d0 LdrLoadDll 96978->96981 96980 414fbc 96980->96974 96981->96980 96983 414d85 96982->96983 96985 414a64 96982->96985 96983->96953 96985->96983 97047 419c20 96985->97047 96987 414b90 97050 41a330 96987->97050 96988 414b73 97108 41a430 LdrLoadDll 96988->97108 96991 414b7d 96991->96953 96992 414bb7 96993 41bd90 2 API calls 96992->96993 96994 414bc3 96993->96994 96994->96991 96995 414d49 96994->96995 96996 414d5f 96994->96996 97001 414c52 96994->97001 96997 41a460 2 API calls 96995->96997 97117 414790 LdrLoadDll NtReadFile NtClose 96996->97117 96998 414d50 96997->96998 96998->96953 97000 414d72 97000->96953 97002 414cb9 97001->97002 97003 414c61 97001->97003 97002->96995 97004 414ccc 97002->97004 97005 414c66 97003->97005 97006 414c7a 97003->97006 97110 41a2b0 97004->97110 97109 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97005->97109 97010 414c97 97006->97010 97011 414c7f 97006->97011 97010->96998 97066 414410 97010->97066 97054 4146f0 97011->97054 97013 414c70 97013->96953 97015 414d2c 97114 41a460 97015->97114 97016 414c8d 97016->96953 97019 414caf 97019->96953 97020 414d38 97020->96953 97022 41b0d1 97021->97022 97023 41b0e3 97022->97023 97135 41bd10 97022->97135 97023->96956 97025 41b104 97138 414070 97025->97138 97027 41b150 97027->96956 97028 41b127 97028->97027 97029 414070 3 API calls 97028->97029 97031 41b149 97029->97031 97031->97027 97163 415390 97031->97163 97032 41b1da 97033 41b1ea 97032->97033 97257 41aed0 LdrLoadDll 97032->97257 97173 41ad40 97033->97173 97036 41b218 97252 419e90 97036->97252 97040 41af30 LdrLoadDll 97039->97040 97041 419eec 97040->97041 97284 1712c0a 97041->97284 97042 419f07 97044 41bd90 97042->97044 97045 41b329 97044->97045 97287 41a640 97044->97287 97045->96923 97048 41af30 LdrLoadDll 97047->97048 97049 414b44 97048->97049 97049->96987 97049->96988 97049->96991 97051 41a346 97050->97051 97052 41af30 LdrLoadDll 97051->97052 97053 41a34c NtCreateFile 97052->97053 97053->96992 97055 41470c 97054->97055 97056 41a2b0 LdrLoadDll 97055->97056 97057 41472d 97056->97057 97058 414734 97057->97058 97059 414748 97057->97059 97060 41a460 2 API calls 97058->97060 97061 41a460 2 API calls 97059->97061 97062 41473d 97060->97062 97063 414751 97061->97063 97062->97016 97118 41bfa0 LdrLoadDll RtlAllocateHeap 97063->97118 97065 41475c 97065->97016 97067 41445b 97066->97067 97069 41448e 97066->97069 97070 41a2b0 LdrLoadDll 97067->97070 97068 4145d9 97071 41a2b0 LdrLoadDll 97068->97071 97069->97068 97074 4144aa 97069->97074 97072 414476 97070->97072 97078 4145f4 97071->97078 97073 41a460 2 API calls 97072->97073 97075 41447f 97073->97075 97076 41a2b0 LdrLoadDll 97074->97076 97075->97019 97077 4144c5 97076->97077 97080 4144e1 97077->97080 97081 4144cc 97077->97081 97131 41a2f0 LdrLoadDll 97078->97131 97084 4144e6 97080->97084 97085 4144fc 97080->97085 97083 41a460 2 API calls 97081->97083 97082 41462e 97086 41a460 2 API calls 97082->97086 97087 4144d5 97083->97087 97088 41a460 2 API calls 97084->97088 97093 414501 97085->97093 97119 41bf60 97085->97119 97089 414639 97086->97089 97087->97019 97090 4144ef 97088->97090 97089->97019 97090->97019 97101 414513 97093->97101 97122 41a3e0 97093->97122 97094 414567 97095 41457e 97094->97095 97130 41a270 LdrLoadDll 97094->97130 97096 414585 97095->97096 97097 41459a 97095->97097 97099 41a460 2 API calls 97096->97099 97100 41a460 2 API calls 97097->97100 97099->97101 97102 4145a3 97100->97102 97101->97019 97103 4145cf 97102->97103 97125 41bb60 97102->97125 97103->97019 97105 4145ba 97106 41bd90 2 API calls 97105->97106 97107 4145c3 97106->97107 97107->97019 97108->96991 97109->97013 97111 414d14 97110->97111 97112 41af30 LdrLoadDll 97110->97112 97113 41a2f0 LdrLoadDll 97111->97113 97112->97111 97113->97015 97115 41a47c NtClose 97114->97115 97116 41af30 LdrLoadDll 97114->97116 97115->97020 97116->97115 97117->97000 97118->97065 97121 41bf78 97119->97121 97132 41a600 97119->97132 97121->97093 97123 41a3fc NtReadFile 97122->97123 97124 41af30 LdrLoadDll 97122->97124 97123->97094 97124->97123 97126 41bb84 97125->97126 97127 41bb6d 97125->97127 97126->97105 97127->97126 97128 41bf60 2 API calls 97127->97128 97129 41bb9b 97128->97129 97129->97105 97130->97095 97131->97082 97133 41af30 LdrLoadDll 97132->97133 97134 41a61c RtlAllocateHeap 97133->97134 97134->97121 97136 41bd3d 97135->97136 97258 41a510 97135->97258 97136->97025 97139 414081 97138->97139 97140 414089 97138->97140 97139->97028 97162 41435c 97140->97162 97261 41cf00 97140->97261 97142 4140dd 97143 41cf00 2 API calls 97142->97143 97147 4140e8 97143->97147 97144 414136 97146 41cf00 2 API calls 97144->97146 97148 41414a 97146->97148 97147->97144 97266 41cfa0 97147->97266 97149 41cf00 2 API calls 97148->97149 97151 4141bd 97149->97151 97150 41cf00 2 API calls 97159 414205 97150->97159 97151->97150 97153 414334 97273 41cf60 LdrLoadDll RtlFreeHeap 97153->97273 97155 41433e 97274 41cf60 LdrLoadDll RtlFreeHeap 97155->97274 97157 414348 97275 41cf60 LdrLoadDll RtlFreeHeap 97157->97275 97272 41cf60 LdrLoadDll RtlFreeHeap 97159->97272 97160 414352 97276 41cf60 LdrLoadDll RtlFreeHeap 97160->97276 97162->97028 97164 4153a1 97163->97164 97165 414a50 8 API calls 97164->97165 97167 4153b7 97165->97167 97166 41540a 97166->97032 97167->97166 97168 4153f2 97167->97168 97169 415405 97167->97169 97170 41bd90 2 API calls 97168->97170 97171 41bd90 2 API calls 97169->97171 97172 4153f7 97170->97172 97171->97166 97172->97032 97277 41ac00 97173->97277 97176 41ac00 LdrLoadDll 97177 41ad5d 97176->97177 97178 41ac00 LdrLoadDll 97177->97178 97179 41ad66 97178->97179 97180 41ac00 LdrLoadDll 97179->97180 97181 41ad6f 97180->97181 97182 41ac00 LdrLoadDll 97181->97182 97183 41ad78 97182->97183 97184 41ac00 LdrLoadDll 97183->97184 97185 41ad81 97184->97185 97186 41ac00 LdrLoadDll 97185->97186 97187 41ad8d 97186->97187 97188 41ac00 LdrLoadDll 97187->97188 97189 41ad96 97188->97189 97190 41ac00 LdrLoadDll 97189->97190 97191 41ad9f 97190->97191 97192 41ac00 LdrLoadDll 97191->97192 97193 41ada8 97192->97193 97194 41ac00 LdrLoadDll 97193->97194 97195 41adb1 97194->97195 97196 41ac00 LdrLoadDll 97195->97196 97197 41adba 97196->97197 97198 41ac00 LdrLoadDll 97197->97198 97199 41adc6 97198->97199 97200 41ac00 LdrLoadDll 97199->97200 97201 41adcf 97200->97201 97202 41ac00 LdrLoadDll 97201->97202 97203 41add8 97202->97203 97204 41ac00 LdrLoadDll 97203->97204 97205 41ade1 97204->97205 97206 41ac00 LdrLoadDll 97205->97206 97207 41adea 97206->97207 97208 41ac00 LdrLoadDll 97207->97208 97209 41adf3 97208->97209 97210 41ac00 LdrLoadDll 97209->97210 97211 41adff 97210->97211 97212 41ac00 LdrLoadDll 97211->97212 97213 41ae08 97212->97213 97214 41ac00 LdrLoadDll 97213->97214 97215 41ae11 97214->97215 97216 41ac00 LdrLoadDll 97215->97216 97217 41ae1a 97216->97217 97218 41ac00 LdrLoadDll 97217->97218 97219 41ae23 97218->97219 97220 41ac00 LdrLoadDll 97219->97220 97221 41ae2c 97220->97221 97222 41ac00 LdrLoadDll 97221->97222 97223 41ae38 97222->97223 97224 41ac00 LdrLoadDll 97223->97224 97225 41ae41 97224->97225 97226 41ac00 LdrLoadDll 97225->97226 97227 41ae4a 97226->97227 97228 41ac00 LdrLoadDll 97227->97228 97229 41ae53 97228->97229 97230 41ac00 LdrLoadDll 97229->97230 97231 41ae5c 97230->97231 97232 41ac00 LdrLoadDll 97231->97232 97233 41ae65 97232->97233 97234 41ac00 LdrLoadDll 97233->97234 97235 41ae71 97234->97235 97236 41ac00 LdrLoadDll 97235->97236 97237 41ae7a 97236->97237 97238 41ac00 LdrLoadDll 97237->97238 97239 41ae83 97238->97239 97240 41ac00 LdrLoadDll 97239->97240 97241 41ae8c 97240->97241 97242 41ac00 LdrLoadDll 97241->97242 97243 41ae95 97242->97243 97244 41ac00 LdrLoadDll 97243->97244 97245 41ae9e 97244->97245 97246 41ac00 LdrLoadDll 97245->97246 97247 41aeaa 97246->97247 97248 41ac00 LdrLoadDll 97247->97248 97249 41aeb3 97248->97249 97250 41ac00 LdrLoadDll 97249->97250 97251 41aebc 97250->97251 97251->97036 97253 41af30 LdrLoadDll 97252->97253 97254 419eac 97253->97254 97283 1712df0 LdrInitializeThunk 97254->97283 97255 419ec3 97255->96956 97257->97033 97259 41a52c NtAllocateVirtualMemory 97258->97259 97260 41af30 LdrLoadDll 97258->97260 97259->97136 97260->97259 97262 41cf10 97261->97262 97263 41cf16 97261->97263 97262->97142 97264 41bf60 2 API calls 97263->97264 97265 41cf3c 97264->97265 97265->97142 97267 41cfc5 97266->97267 97268 41cffd 97266->97268 97269 41bf60 2 API calls 97267->97269 97268->97147 97270 41cfda 97269->97270 97271 41bd90 2 API calls 97270->97271 97271->97268 97272->97153 97273->97155 97274->97157 97275->97160 97276->97162 97278 41ac1b 97277->97278 97279 414e50 LdrLoadDll 97278->97279 97280 41ac3b 97279->97280 97281 414e50 LdrLoadDll 97280->97281 97282 41ace7 97280->97282 97281->97282 97282->97176 97283->97255 97285 1712c11 97284->97285 97286 1712c1f LdrInitializeThunk 97284->97286 97285->97042 97286->97042 97288 41af30 LdrLoadDll 97287->97288 97289 41a65c RtlFreeHeap 97288->97289 97289->97045 97291 407eb0 97290->97291 97292 407eab 97290->97292 97293 41bd10 2 API calls 97291->97293 97292->96964 97296 407ed5 97293->97296 97294 407f38 97294->96964 97295 419e90 2 API calls 97295->97296 97296->97294 97296->97295 97297 407f3e 97296->97297 97302 41bd10 2 API calls 97296->97302 97306 41a590 97296->97306 97298 407f64 97297->97298 97300 41a590 2 API calls 97297->97300 97298->96964 97301 407f55 97300->97301 97301->96964 97302->97296 97304 41a590 2 API calls 97303->97304 97305 40817e 97304->97305 97305->96925 97307 41af30 LdrLoadDll 97306->97307 97308 41a5ac 97307->97308 97311 1712c70 LdrInitializeThunk 97308->97311 97309 41a5c3 97309->97296 97311->97309 97313 41b593 97312->97313 97316 40acf0 97313->97316 97315 409c5b 97315->96933 97318 40ad14 97316->97318 97317 40ad1b 97317->97315 97318->97317 97319 40ad50 LdrLoadDll 97318->97319 97320 40ad67 97318->97320 97319->97320 97320->97315 97322 40b063 97321->97322 97324 40b0e0 97322->97324 97336 419c60 LdrLoadDll 97322->97336 97324->96938 97326 41af30 LdrLoadDll 97325->97326 97327 40f1bb 97326->97327 97327->96941 97328 41a7a0 97327->97328 97329 41a7bf LookupPrivilegeValueW 97328->97329 97330 41af30 LdrLoadDll 97328->97330 97329->96943 97330->97329 97332 41af30 LdrLoadDll 97331->97332 97333 41a24c 97332->97333 97337 1712ea0 LdrInitializeThunk 97333->97337 97334 41a26b 97334->96944 97336->97324 97337->97334 97339 40b1f0 97338->97339 97340 40b040 LdrLoadDll 97339->97340 97341 40b204 97340->97341 97341->96880 97343 40ae51 97342->97343 97344 40ae4d 97342->97344 97345 40ae6a 97343->97345 97346 40ae9c 97343->97346 97344->96883 97389 419ca0 LdrLoadDll 97345->97389 97390 419ca0 LdrLoadDll 97346->97390 97348 40aead 97348->96883 97350 40ae8c 97350->96883 97352 40f4a0 3 API calls 97351->97352 97353 4143c6 97352->97353 97353->96885 97355 408a79 97354->97355 97391 4087a0 97354->97391 97357 408a9d 97355->97357 97358 4087a0 19 API calls 97355->97358 97357->96887 97359 408a8a 97358->97359 97359->97357 97409 40f710 10 API calls 97359->97409 97362 41af30 LdrLoadDll 97361->97362 97363 41a4ec 97362->97363 97528 1712e80 LdrInitializeThunk 97363->97528 97364 40c322 97366 40f4a0 97364->97366 97367 40f4bd 97366->97367 97529 419f90 97367->97529 97369 40f4fe 97370 40f505 97369->97370 97371 419fe0 2 API calls 97369->97371 97370->96891 97372 40f52e 97371->97372 97372->96891 97374 419fe6 97373->97374 97375 41af30 LdrLoadDll 97374->97375 97376 419ffc 97375->97376 97540 1712d10 LdrInitializeThunk 97376->97540 97377 40c385 97377->96897 97377->96900 97380 41af30 LdrLoadDll 97379->97380 97381 41a04c 97380->97381 97541 1712d30 LdrInitializeThunk 97381->97541 97382 40c459 97382->96908 97385 41af30 LdrLoadDll 97384->97385 97386 419e0c 97385->97386 97542 1712fb0 LdrInitializeThunk 97386->97542 97387 40c4ac 97387->96912 97389->97350 97390->97348 97392 407ea0 4 API calls 97391->97392 97407 4087ba 97391->97407 97392->97407 97393 408a3f 97394 408160 2 API calls 97393->97394 97395 408a49 97394->97395 97395->97355 97398 419ed0 2 API calls 97398->97407 97400 41a460 LdrLoadDll NtClose 97400->97407 97403 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97403->97407 97406 419df0 2 API calls 97406->97407 97407->97393 97407->97395 97407->97398 97407->97400 97407->97403 97407->97406 97410 419ce0 97407->97410 97413 4085d0 97407->97413 97425 40f5f0 LdrLoadDll NtClose 97407->97425 97426 419d60 LdrLoadDll 97407->97426 97427 419d90 LdrLoadDll 97407->97427 97428 419e20 LdrLoadDll 97407->97428 97429 4083a0 97407->97429 97445 405f60 LdrLoadDll 97407->97445 97409->97357 97411 419cfc 97410->97411 97412 41af30 LdrLoadDll 97410->97412 97411->97407 97412->97411 97414 4085e6 97413->97414 97446 419850 97414->97446 97416 408771 97416->97407 97417 4085ff 97417->97416 97467 4081a0 97417->97467 97419 4086e5 97419->97416 97420 4083a0 11 API calls 97419->97420 97421 408713 97420->97421 97421->97416 97422 419ed0 2 API calls 97421->97422 97423 408748 97422->97423 97423->97416 97424 41a4d0 2 API calls 97423->97424 97424->97416 97425->97407 97426->97407 97427->97407 97428->97407 97430 4083c9 97429->97430 97507 408310 97430->97507 97433 41a4d0 2 API calls 97434 4083dc 97433->97434 97434->97433 97435 408467 97434->97435 97437 408462 97434->97437 97515 40f670 97434->97515 97435->97407 97436 41a460 2 API calls 97438 40849a 97436->97438 97437->97436 97438->97435 97439 419ce0 LdrLoadDll 97438->97439 97440 4084ff 97439->97440 97440->97435 97519 419d20 97440->97519 97442 408563 97442->97435 97443 414a50 8 API calls 97442->97443 97444 4085b8 97443->97444 97444->97407 97445->97407 97447 41bf60 2 API calls 97446->97447 97448 419867 97447->97448 97474 409310 97448->97474 97450 419882 97451 4198c0 97450->97451 97452 4198a9 97450->97452 97455 41bd10 2 API calls 97451->97455 97453 41bd90 2 API calls 97452->97453 97454 4198b6 97453->97454 97454->97417 97456 4198fa 97455->97456 97457 41bd10 2 API calls 97456->97457 97458 419913 97457->97458 97464 419bb4 97458->97464 97480 41bd50 97458->97480 97461 419ba0 97462 41bd90 2 API calls 97461->97462 97463 419baa 97462->97463 97463->97417 97465 41bd90 2 API calls 97464->97465 97466 419c09 97465->97466 97466->97417 97468 40829f 97467->97468 97469 4081b5 97467->97469 97468->97419 97469->97468 97470 414a50 8 API calls 97469->97470 97471 408222 97470->97471 97472 41bd90 2 API calls 97471->97472 97473 408249 97471->97473 97472->97473 97473->97419 97475 409335 97474->97475 97476 40acf0 LdrLoadDll 97475->97476 97477 409368 97476->97477 97479 40938d 97477->97479 97483 40cf20 97477->97483 97479->97450 97501 41a550 97480->97501 97484 40cf4c 97483->97484 97485 41a1b0 LdrLoadDll 97484->97485 97486 40cf65 97485->97486 97487 40cf6c 97486->97487 97494 41a1f0 97486->97494 97487->97479 97491 40cfa7 97492 41a460 2 API calls 97491->97492 97493 40cfca 97492->97493 97493->97479 97495 41a20c 97494->97495 97496 41af30 LdrLoadDll 97494->97496 97500 1712ca0 LdrInitializeThunk 97495->97500 97496->97495 97497 40cf8f 97497->97487 97499 41a7e0 LdrLoadDll 97497->97499 97499->97491 97500->97497 97502 41af30 LdrLoadDll 97501->97502 97503 41a56c 97502->97503 97506 1712f90 LdrInitializeThunk 97503->97506 97504 419b99 97504->97461 97504->97464 97506->97504 97508 408328 97507->97508 97509 40acf0 LdrLoadDll 97508->97509 97510 408343 97509->97510 97511 414e50 LdrLoadDll 97510->97511 97512 408353 97511->97512 97513 40835c PostThreadMessageW 97512->97513 97514 408370 97512->97514 97513->97514 97514->97434 97516 40f683 97515->97516 97522 419e60 97516->97522 97520 419d3c 97519->97520 97521 41af30 LdrLoadDll 97519->97521 97520->97442 97521->97520 97523 419e7c 97522->97523 97524 41af30 LdrLoadDll 97522->97524 97527 1712dd0 LdrInitializeThunk 97523->97527 97524->97523 97525 40f6ae 97525->97434 97527->97525 97528->97364 97530 419fac 97529->97530 97531 41af30 LdrLoadDll 97529->97531 97538 1712f30 LdrInitializeThunk 97530->97538 97531->97530 97532 419fcf 97532->97369 97533 41af30 LdrLoadDll 97532->97533 97534 419ffc 97533->97534 97539 1712d10 LdrInitializeThunk 97534->97539 97535 41a02b 97535->97369 97538->97532 97539->97535 97540->97377 97541->97382 97542->97387

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 0 41a3da-41a429 call 41af30 NtReadFile
                                                                                                                                                        APIs
                                                                                                                                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FileRead
                                                                                                                                                        • String ID: 1JA$rMA$rMA
                                                                                                                                                        • API String ID: 2738559852-782607585
                                                                                                                                                        • Opcode ID: ac26e2eead842cf67d4cc4646b55e6db792ab7ec0130b0b1aebf9242eebc898f
                                                                                                                                                        • Instruction ID: 1621ec5d5615cfbbd2a7460557919eecc80803f6b914c945317f9110520505c4
                                                                                                                                                        • Opcode Fuzzy Hash: ac26e2eead842cf67d4cc4646b55e6db792ab7ec0130b0b1aebf9242eebc898f
                                                                                                                                                        • Instruction Fuzzy Hash: E1F0F4B2200118AFCB14CF99DC81EEB77A9EF8C354F158249BA1DD7241DA30E912CBA0
                                                                                                                                                        Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                                                                                                                                                        APIs
                                                                                                                                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FileRead
                                                                                                                                                        • String ID: 1JA$rMA$rMA
                                                                                                                                                        • API String ID: 2738559852-782607585
                                                                                                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                        • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                        • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                        Function 0041A2EB Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 204 41a2eb-41a2ef 205 41a2f1-41a329 call 41af30 204->205 206 41a346-41a381 call 41af30 NtCreateFile 204->206
                                                                                                                                                        APIs
                                                                                                                                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                        • Opcode ID: fd6409369499a9aa7a69765ed3f4feb42ed0b969e52c3f9ae1d301d8893e82c0
                                                                                                                                                        • Instruction ID: aaf30276e27feee70eaf5ef818d2fb9516147c3f277a8e2d9c515ed336a7d524
                                                                                                                                                        • Opcode Fuzzy Hash: fd6409369499a9aa7a69765ed3f4feb42ed0b969e52c3f9ae1d301d8893e82c0
                                                                                                                                                        • Instruction Fuzzy Hash: 7211E5B2215108AFCB08DF98DC85DEB73ADAF8C314F108209FE1D97241D634E861CBA4
                                                                                                                                                        Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 257 41a330-41a381 call 41af30 NtCreateFile
                                                                                                                                                        APIs
                                                                                                                                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                        • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                        • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                        Function 0041A50C Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 261 41a50c-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                        APIs
                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                        • Opcode ID: f6a9656891865fe46833127451bc76cec07cece9d25c5ff69d0cd68c62593d4a
                                                                                                                                                        • Instruction ID: e2c8ed0ff941296fe227198e94f94f2569fe5c031e0d4c6c842169a83b461cf8
                                                                                                                                                        • Opcode Fuzzy Hash: f6a9656891865fe46833127451bc76cec07cece9d25c5ff69d0cd68c62593d4a
                                                                                                                                                        • Instruction Fuzzy Hash: 2DF015B2214109AFDB18DF89CC81EEB77ADAF88354F118249BA0C97245C630E911CBA0
                                                                                                                                                        Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Close
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                        • Opcode ID: aa5d259affc9c2a15dfae388f785dda8d20d4c05b7911eddf8cfd44673aa2e28
                                                                                                                                                        • Instruction ID: d1cf02db40167ec37705e0b9dfbb3c45d0b047f53a2925f5f8260eef5ce17965
                                                                                                                                                        • Opcode Fuzzy Hash: aa5d259affc9c2a15dfae388f785dda8d20d4c05b7911eddf8cfd44673aa2e28
                                                                                                                                                        • Instruction Fuzzy Hash: 41E08C76600214ABDB10EB94CC86F977768EF48760F014499BE186B342C530FA11CBD1
                                                                                                                                                        Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Close
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                        • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                        • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                        Function 0040830A Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 212 40830a-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 221 40835c-40836e PostThreadMessageW 212->221 222 40838e-408392 212->222 223 408370-40838a call 40a480 221->223 224 40838d 221->224 223->224 224->222
                                                                                                                                                        APIs
                                                                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                        • Opcode ID: 21489f4fcbbea4f2ed5729be1759cc407b639bf3a27e4ff756f5d65fe6ecdfd2
                                                                                                                                                        • Instruction ID: 16702e0c4cae5f4026594a61028452be54daae5ed4e574d5dd7321583c1b3909
                                                                                                                                                        • Opcode Fuzzy Hash: 21489f4fcbbea4f2ed5729be1759cc407b639bf3a27e4ff756f5d65fe6ecdfd2
                                                                                                                                                        • Instruction Fuzzy Hash: F701D471A8032876EB20A6959D43FFF662C6B40F54F04011AFF04BA1C1EAA8690542EA
                                                                                                                                                        Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 227 408310-40831f 228 408328-40835a call 41c9d0 call 40acf0 call 414e50 227->228 229 408323 call 41be30 227->229 236 40835c-40836e PostThreadMessageW 228->236 237 40838e-408392 228->237 229->228 238 408370-40838a call 40a480 236->238 239 40838d 236->239 238->239 239->237
                                                                                                                                                        APIs
                                                                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                        • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                        • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                        • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                        • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                        Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 242 40acf0-40ad19 call 41cc20 245 40ad1b-40ad1e 242->245 246 40ad1f-40ad2d call 41d040 242->246 249 40ad3d-40ad4e call 41b470 246->249 250 40ad2f-40ad3a call 41d2c0 246->250 255 40ad50-40ad64 LdrLoadDll 249->255 256 40ad67-40ad6a 249->256 250->249 255->256
                                                                                                                                                        APIs
                                                                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1772840682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_400000_RegSvcs.jbxd
                                                                                                                                                        Yara matches
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Load
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2234796835-0
                                                                                                                                                        • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                        • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                        • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                        • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                        Function 01712C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B6E7,000000FF,00000007,00000000,00000004,00000000,?,?,?,0175B3F9,00000065,00000000,?,0175A98E,FFFFFFE0,00000000), ref: 01712C24
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: e262ef28ab00596a0cc49432d31e84d3ce9c4d935269d15c34b1b619e69922e2
                                                                                                                                                        • Instruction ID: a323260477282b4cf44ad06a28dfc5d363ee79f45c3d97220a96efcf4ca99216
                                                                                                                                                        • Opcode Fuzzy Hash: e262ef28ab00596a0cc49432d31e84d3ce9c4d935269d15c34b1b619e69922e2
                                                                                                                                                        • Instruction Fuzzy Hash: 61B09B719055D5C6DB11E7644609717B95077D0701F25C071D3030651F4739C1D1E276
                                                                                                                                                        Function 01712B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B55B,00000004,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 01712B6A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 8ccaf95052fb271909cf39f4c27f8ea2ca26172c624b68838588beaeaffd26fe
                                                                                                                                                        • Instruction ID: d6fe6ff9babba8304c1e03747523c48ca65e8ea9b6155d3f6dbb68817726502f
                                                                                                                                                        • Opcode Fuzzy Hash: 8ccaf95052fb271909cf39f4c27f8ea2ca26172c624b68838588beaeaffd26fe
                                                                                                                                                        • Instruction Fuzzy Hash: 3690026120641003420571584415616805A97E0201B55C031E10145A0DC9268A926226
                                                                                                                                                        Function 01712BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B35D,000000FF,00000000,00000000,0000000C,00001000,00000004,017AD260,0000001C,0175B0B6), ref: 01712BFA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 6cdbd9210504328c4ab690f8fd5ed85e20c24a0585f8bcf390dd57c2baa1fa2e
                                                                                                                                                        • Instruction ID: d79abf5b492707684e2f600b506c9a14ac2652d67bd70f11a64cc3fbd8267b3c
                                                                                                                                                        • Opcode Fuzzy Hash: 6cdbd9210504328c4ab690f8fd5ed85e20c24a0585f8bcf390dd57c2baa1fa2e
                                                                                                                                                        • Instruction Fuzzy Hash: D290023120541802D2807158440564A405597D1301F95C025E0025664DCE168B5A77A2
                                                                                                                                                        Function 01712AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(01763A38,?,00000000,00000000,00000000,00000000,00000000,016A5608,00000000,00000000,00000000,?,?,?,?), ref: 01712ADA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: eee1b3ebbcef97920ac9152a5e64d71ba7a57fbab0a892a712eb82537b80aaa8
                                                                                                                                                        • Instruction ID: 33cbdb254eae647f3c2e0825399d2699f44236f1639f74523def2130e4e7a7b4
                                                                                                                                                        • Opcode Fuzzy Hash: eee1b3ebbcef97920ac9152a5e64d71ba7a57fbab0a892a712eb82537b80aaa8
                                                                                                                                                        • Instruction Fuzzy Hash: 32900225215410030205B5580705507409697D5351355C031F1015560CDA228A625222
                                                                                                                                                        Function 01712D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B54A,000000FF,00000000,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 01712D3A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 894e66bc5e228f000624e26ac9e5a871dbcba1ff71d43be023cc97d35f360aaf
                                                                                                                                                        • Instruction ID: 91ed4f329e14552357a79492356f9a754ff3f3101f2ebf1508ff286e728c2cbc
                                                                                                                                                        • Opcode Fuzzy Hash: 894e66bc5e228f000624e26ac9e5a871dbcba1ff71d43be023cc97d35f360aaf
                                                                                                                                                        • Instruction Fuzzy Hash: C290022130541003D240715854196068055E7E1301F55D021E0414564CDD168A575323
                                                                                                                                                        Function 01712D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B508,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 01712D1A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: d42d56036cdeedd83e00b74ea11d424adf6e3f80a52c9176d1bc5c434af0404d
                                                                                                                                                        • Instruction ID: 8761cdffe7d0b50b18ce94d9407253e3315194e8b8d9efb2a2d0e82b6696f693
                                                                                                                                                        • Opcode Fuzzy Hash: d42d56036cdeedd83e00b74ea11d424adf6e3f80a52c9176d1bc5c434af0404d
                                                                                                                                                        • Instruction Fuzzy Hash: 3E90022921741002D2807158540960A405597D1202F95D425E0015568CCD168A6A5322
                                                                                                                                                        Function 01712DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B05B,00000073,?,00000008,00000000,000000FF,00000004), ref: 01712DFA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 129f9b25391f03ec96f817a730ce34a9f9db5e5c9db7923a056a3b8a82a1c368
                                                                                                                                                        • Instruction ID: e600d43417d15d6da552af8037c9c5b3a58776fcb0a728755df5cec20fe6c462
                                                                                                                                                        • Opcode Fuzzy Hash: 129f9b25391f03ec96f817a730ce34a9f9db5e5c9db7923a056a3b8a82a1c368
                                                                                                                                                        • Instruction Fuzzy Hash: 1A90023120541413D21171584505707405997D0241F95C422E0424568DDA578B53A222
                                                                                                                                                        Function 01712DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(017291A3,00000000,?,?,?,?,016D8A1A,017AC2B0,00000018,016C8873), ref: 01712DDA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 28fe47d7c7f6752366c52ad3bfd5277c93c6e5b4594dcfe280dc5a1ae4c3f15e
                                                                                                                                                        • Instruction ID: da07f52755c4e22cbcf93cea99ca55a504d4fa410be03a16efb91c897b4cda3d
                                                                                                                                                        • Opcode Fuzzy Hash: 28fe47d7c7f6752366c52ad3bfd5277c93c6e5b4594dcfe280dc5a1ae4c3f15e
                                                                                                                                                        • Instruction Fuzzy Hash: F0900221246451525645B15844055078056A7E0241795C022E1414960CC9279A57D722
                                                                                                                                                        Function 01712C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B58B,000000FF,0000001C,0000000C,00008000,00000000,00000000,?,0175B3CF,000000FF,00000000,00000000,0000000C,00001000,00000004,017AD260), ref: 01712C7A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 3fe30c20ad9a364eeaccebf9736512f4c1a12902a3b0d8f5937aeffdaf3087bc
                                                                                                                                                        • Instruction ID: 2a0f826433e31f4d0065fc0392bdd9061d101624c984ac67157b79220d43d91a
                                                                                                                                                        • Opcode Fuzzy Hash: 3fe30c20ad9a364eeaccebf9736512f4c1a12902a3b0d8f5937aeffdaf3087bc
                                                                                                                                                        • Instruction Fuzzy Hash: 5290023120549802D2107158840574A405597D0301F59C421E4424668DCA968A927222
                                                                                                                                                        Function 01712CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(016F3999,000000FA,00000001,?,00000050,?,01783A2F), ref: 01712CAA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 620d47cd179ad28ad9795ac51e94469fcbf1917227bc33d36e716f4bda2e1d23
                                                                                                                                                        • Instruction ID: b6eba0bbacb4a055dbe47fe8baa3822798b93027e838c01591122e316c05ed0e
                                                                                                                                                        • Opcode Fuzzy Hash: 620d47cd179ad28ad9795ac51e94469fcbf1917227bc33d36e716f4bda2e1d23
                                                                                                                                                        • Instruction Fuzzy Hash: 5E90023120541402D20075985409646405597E0301F55D021E5024565ECA668A926232
                                                                                                                                                        Function 01712F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(0175B4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 01712F3A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 2ed0beb41d4e01d4c64774ee1ed54f5edf113c74cbddd76db0ea357ee3ea9d7b
                                                                                                                                                        • Instruction ID: 4acda381934014576e3d970ec6ea8a2b822eaf070a33beee316c2a231bee8737
                                                                                                                                                        • Opcode Fuzzy Hash: 2ed0beb41d4e01d4c64774ee1ed54f5edf113c74cbddd76db0ea357ee3ea9d7b
                                                                                                                                                        • Instruction Fuzzy Hash: F990026134541442D20071584415B064055D7E1301F55C025E1064564DCA1ACE536227
                                                                                                                                                        Function 01712FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(017117E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 01712FEA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 757c8e8b32d7438f870a14d7328ce769dc96053a208a5804ca295b3b7f84914c
                                                                                                                                                        • Instruction ID: 3ea57848ff096a4429418fb8c269ad8e1cf5cbe263c19738461f121dcbdf3363
                                                                                                                                                        • Opcode Fuzzy Hash: 757c8e8b32d7438f870a14d7328ce769dc96053a208a5804ca295b3b7f84914c
                                                                                                                                                        • Instruction Fuzzy Hash: 09900221215C1042D30075684C15B07405597D0303F55C125E0154564CCD168A625622
                                                                                                                                                        Function 01712FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(017105E3,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?), ref: 01712FBA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 5b1f3ee7408cdd45a90149cdf5add2bc6b0a0f2bc1e6562d2469111de36314d3
                                                                                                                                                        • Instruction ID: aab3ee1da1f6c76e3e3dfc1328eb13f2e841b27511cfca6f18654955f8b0579c
                                                                                                                                                        • Opcode Fuzzy Hash: 5b1f3ee7408cdd45a90149cdf5add2bc6b0a0f2bc1e6562d2469111de36314d3
                                                                                                                                                        • Instruction Fuzzy Hash: B1900221605410424240716888459068055BBE1211755C131E0998560DC95A8A665766
                                                                                                                                                        Function 01712F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(016CDE0E,000000FF,?,00001000,00000000,-00000018,?,00000001,-00000018,?), ref: 01712F9A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 3a03e34326d5e50feeeb1d70268121fc9d60869736726c68b3d03338d10581e6
                                                                                                                                                        • Instruction ID: d44f686403eece4db705a133797b31974a26c15d2c5863d04b9ba4334b220805
                                                                                                                                                        • Opcode Fuzzy Hash: 3a03e34326d5e50feeeb1d70268121fc9d60869736726c68b3d03338d10581e6
                                                                                                                                                        • Instruction Fuzzy Hash: 5590023120581402D2007158481570B405597D0302F55C021E1164565DCA268A526672
                                                                                                                                                        Function 01712EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(017672C6,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00800000,?,0173A419,?,016F1427,000000FF,0000001F), ref: 01712EAA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 8fe8da6824152fbed77d0a4711d7dc62e940000486983957f1b2dd7b6f395a4c
                                                                                                                                                        • Instruction ID: db9002ace8bce17cb0a836228ad31afcbb323ac4dc665545e6ed2e3ca825c796
                                                                                                                                                        • Opcode Fuzzy Hash: 8fe8da6824152fbed77d0a4711d7dc62e940000486983957f1b2dd7b6f395a4c
                                                                                                                                                        • Instruction Fuzzy Hash: 7290027120541402D24071584405746405597D0301F55C021E5064564ECA5A8FD66766
                                                                                                                                                        Function 01712E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LdrInitializeThunk.NTDLL(017788F1,?,?,00000048,00000048,00000048,00000004,00000004,00000000,00000000,00000004,00000000,?,?,?,00000048), ref: 01712E8A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000000C.00000002.1774493841.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016A0000, based on PE: true
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_12_2_16a0000_RegSvcs.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                        • Opcode ID: 8e1288cbc79842a2f5ec0a4eed969da8c98e3fe560f977cef9ba74630a7f8853
                                                                                                                                                        • Instruction ID: e252f52d3e262447262df49ab957a8c8355e068c1707d999f7ac89ab4bd00732
                                                                                                                                                        • Opcode Fuzzy Hash: 8e1288cbc79842a2f5ec0a4eed969da8c98e3fe560f977cef9ba74630a7f8853
                                                                                                                                                        • Instruction Fuzzy Hash: 6D90022160541502D20171584405616405A97D0241F95C032E1024565ECE268B93A232